Security / Managing data & system security
Q. How do you prevent accidental introduction of malicious content by employees?
All access to the corporate network is authenticated using standard authentication mechanisms. We utilise content filtering to prevent malicious content being introduced, and we also use detection software to identify unusual patterns of inbound or outbound access.
Our system is deployed in Microsoft's Azure platform in a way that we have separation of data and service. Azure has inbuilt protection and controls access to our systems and data. We also run regular internal vulnerability tests and address any issues found. Data is transmitted using secure TLS encryption and is encrypted at rest using AES 256.
Yes, BrightHR has separate policies for both information and data security.
Yes, they’re based at BrightHQ in our Manchester office, United Kingdom. We also have a dedicated Application Security Developer role. Both have broad responsibility for information security in proactive preventative and reactive measures. Proactive measures include penetration testing, secure development process, and exploratory testing and reactive measures include identification and resolution of vulnerabilities.
Q. Is BrightHR certified by any recognised IT security and data protection standards?
Yes. BrightHR is ISO27001 and Cyber Essentials Plus accredited, and is also PCI compliant and registered with the ICO.
Q. Are all operating systems and end user software use patched to latest standards?
All the computers used in our offices are patched automatically following assessment by our information security team. The computing infrastructure in our live estate is on Microsoft's Azure platform as a service, so is managed and patched by Microsoft. We use external third party tooling to assess when any application libraries are found to have vulnerabilities.
We use standard authentication mechanisms to identify a user, and we restrict or allow access to data based on a user’s role and need to access the data, in order to provide the service.
Yes, we have password complexity rules in place to make sure all our internal user passwords are as secure as possible. For systems with access to data additional factors of authentication are required and location of use is checked.
Yes, all access to remote services is secured, and use of these services is monitored.
Still not answered your question? Get in touch with someone on our friendly Service Team.
You can quickly raise a support case, enter a few details and we will be straight back in touch.
Log a support case