Security & Compliance
Trust Center
At BrightMarbles, trust is earned through transparency, rigorous security practices, and a genuine commitment to protecting the data of our clients and their users. This page outlines how we approach security, privacy, and compliance across everything we do.
Our Security Commitments
Data Security
All data in transit is encrypted using TLS 1.2+ and data at rest is protected with AES-256 encryption. We conduct regular vulnerability assessments and penetration testing on our infrastructure.
GDPR Compliance
As a European company, GDPR compliance is central to how we operate. We maintain records of processing activities, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, and appoint a dedicated data protection contact.
Secure Infrastructure
Our production systems are hosted on AWS with infrastructure concentrated in the eu-north-1 (Stockholm) region. We leverage VPC isolation, security groups, and automated monitoring to protect client environments.
Access Control
Access to client systems and sensitive data is granted on a strict least-privilege basis. We enforce multi-factor authentication (MFA), regular access reviews, and immediate revocation upon project or employment end.
Vendor Management
All third-party vendors who process personal data are vetted and bound by Data Processing Agreements (DPAs). We maintain an up-to-date sub-processor registry and review vendors at least annually.
Incident Response
We maintain a documented incident response plan with defined roles, escalation paths, and communication procedures. In the event of a data breach, we are committed to notifying affected parties within 72 hours as required by GDPR.
Secure Development
Security is integrated throughout our development lifecycle. Our engineering teams follow OWASP best practices, conduct peer code reviews, use dependency scanning tools, and apply security testing as part of CI/CD pipelines.
Employee Training
Every BrightMarbles team member completes security awareness training on joining and annually thereafter. We foster a security-first culture across all disciplines — from engineering and design to management.
Privacy Practices
Data Minimisation
We collect only the personal data that is strictly necessary for the stated purpose. Unnecessary data is not collected, and retained data is deleted or anonymised when it is no longer needed.
Transparency
We believe in clear, plain-language communication about how we handle data. Our Privacy Policy and Cookie Policy are publicly available and written to be understood without legal expertise.
Privacy by Design
Privacy considerations are embedded into our product and engineering processes from the outset, not treated as an afterthought. This applies to both our internal tools and the client solutions we build.
Contractual Safeguards
All client engagements include appropriate data protection clauses. For EU clients or projects involving personal data, we enter into a Data Processing Agreement (DPA) as required by GDPR Article 28.
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a potential security issue in any of our systems or client-facing products developed by BrightMarbles, we encourage responsible disclosure. Please report findings to our security team before publicising them, giving us a reasonable opportunity to investigate and remediate.
Contact us at security@brightmarbles.io. We aim to acknowledge all valid reports within 3 business days and will keep you informed of our progress.
Questions or Concerns?
If you have questions about our security posture, wish to request a Data Processing Agreement, or need more information for a security review or due diligence process, our team is happy to assist.
Email us at privacy@brightmarbles.io