Security & Compliance

Security and compliance are top priorities for BrainCert because they are fundamental to your experience with the product.

Committed to Compliance

Our compliance program ensures that you and your customers can trust BrainCert and have third-party assurance that effective and robust controls protect your data.


SOC 2 Type II Certified

BrainCert has successfully completed the SOC 2 Type 1 & II certification and undergoes regular SOC 2 Type II audits (all 5 Trust Services Criteria) performed by an independent third-party auditing firm.


ISO/IEC 27001:2013

BrainCert is an ISO 27001:2013 certified company which means that BrainCert has a fully occupied information management system in place that is in compliance with the best practices recommended by ISO & IEC for information & data security.


GDPR

BrainCert is committed to data privacy and security, including complying with and, where applicable, helping our customers and users comply with the EU General Data Protection Regulation (GDPR).



McAfee Enterprise-Ready

McAfee evaluates cloud services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection, and presents the McAfee Enterprise-Ready seal to only those services that have the highest CloudTrust™ rating possible.


HIPAA Compliance

BrainCert is compliant with Health Insurance Portability and Accountability Act (HIPAA)  security requirements. With HIPAA compliance, customers can securely process and store protected health information (PHI) in BrainCert Cloud after executing a Business Associate Agreement.


Privacy Shield Framework

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.

BrainCert's Approach to Information Security and Data Privacy

BrainCert maintains a comprehensive information security and privacy program to protect BrainCert employees, customers, assets, and data. BrainCert requires its subcontractors to have similar information security practices and procedures that comply with its minimum requirements to protect relevant BrainCert assets and data and those of its customers. BrainCert maintains a strong security & compliance posture anchored around security and privacy best practices. BrainCert is compliant with security frameworks such as SOC2, ISO/IEC 27001:2013, HIPAA, GDPR, PIPEDA, PCI DSS v3.2.1, NIST SP 800-171, CIS, and CCPA.

Our Security Measures

Over the last few years, we've invested significantly in our data security and privacy infrastructure which means that the data security practices, policies, and procedures that are in place at BrainCert is fully capable of averting any data breach and ensuring data privacy.

Datacenter security 

BrainCert platform is built on Amazon Web Services (AWS)  infrastructure that aligns with IT security best practices. AWS data centers have achieved SOC 1, 2, and 2, ISO/IEC 27001 certification, PCI DSS Level 1 compliance, and FedRAMP/FISMA reports and certifications. 

Security in transit

All information that we receive and transmit is fully encrypted using the highest industry standard procedures and protocols, including TLS 1.2 and TLS 1.3 where applicable, and configured with strong ciphers based on the application stack.

Data encryption at rest

Our customers' data is encrypted at rest, using FIPS 140-2 validated HSMs (AWS KMS), and AES-256 symmetric encryption algorithms where appropriate. Access to customer data is highly restricted using Identity & Access Management (IAM) roles and policies.

Data access is controlled

Access to customer data is strictly limited to a small set of oncall engineers, is protected by auditing & alerting systems, and only available when debugging a specific problem (usually by customer request). Access to data is granted only when required for a particular job function.

Cloud Security 

BrainCert has implemented firewalls, intrusion detection, and other network protection services in accordance with industry best practices for securing BrainCert-managed applications, assets, and data. We undergo regular 3rd party penetration tests to ensure all our security practices and systems are top-notch.

Zero-Trust Principle

BrainCert’s management team enforces zero trust access and follows the principle of least privilege for all of our applications — helping prevent impermissible data uses or disclosures by internal employees. All BrainCert internal employees undergo semi-annual security awareness training and sign-off policies.

Incident Management

BrainCert monitors and identifies possible intrusions on all infrastructure, applications, and services used to present the BrainCert Application. BrainCert follows a documented security incident response plan. In the event of any verified incident affecting customer data or an application, BrainCert notifies affected customers of such events in a timely manner. 

Systems Development

BrainCert employs strict development processes and coding standards to ensure that both adhere to best industry security practices. BrainCert ensures that source code and similar configuration changes are properly authorized and tracked via standard source code management practices. Security measures include static code analysis tools, daily CVE scans, and security scans.

Business Continuity & Disaster Recovery 

BrainCert uses a scale out architecture with high availability built into various layers of our stack. We have a disaster recover plan that addresses multiple site availability and replication of critical customer data. All customer data is backed up regularly across geographic locations. BrainCert performs regular disaster recovery testing.