Brandwatch Data Connectors enables customers to import data from third party applications in order to conduct text analysis and use Brandwatch’s proprietary AI to get deeper insights on imported data. This page describes the security, IT, and privacy standards in place for Data Connectors.
Data Connectors uses the OAuth 2 protocol to collect Google Sheets data. Each row in the spreadsheet is processed and uploaded into Brandwatch Consumer Research as an item of private content.
As part of the OAuth 2 process, users grant Data Connectors access to all Google Sheets that their account has access to. In Brandwatch Consumer Research itself, each item of private content is accessible via Boolean queries, filters, among other features. It can be used in the same way as social content, e.g. with sentiment detection, topic extraction, and all the other functionality of Brandwatch Consumer Research.
Data Connectors requests the spreadsheets.readonly permission from Google in order to do this.
This section describes Data Centers for the Data Connectors services only. Further information on Information Security for all Brandwatch products and services is available on the Information Security and Data Privacy FAQs pages on this website.
The Data Connectors services are hosted in Google Cloud Platform (GCP) data centers in Belgium. Google’s data centers include safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor also features laser beam intrusion detection.
All Data Connectors servers are contained in a single Virtual Private Network (VPC). Instances inside the VPC are protected by firewall rules which deny all access to traffic from outside the network.
Internet requests are routed to hosts via Google Network Load Balancing services, which shield our back-ends from many types of denial of service attacks. These traffic entry points contain network intrusion detection & prevention, with active monitoring, filtering, and alerting.
All external connections to our application servers are TLS encrypted using proven, peer-reviewed, and open source encryption algorithms. All public HTTP endpoints serve a Strict-Transport-Security response header which enforces this.
Servers run Container-Optimized OS (COS) from Google. COS is optimized for running applications inside Docker containers, and has a smaller footprint reducing a server’s potential attack surface. COS includes a locked-down firewall for further protection, and is configured to automatically download weekly updates in the background.
The Data Connectors software infrastructure comprises multiple microservices running in a single Kubernetes cluster. This cluster and all the application containers running on it are distributed across three Availability Zones in order to provide highly available levels of service, even in the event of an entire Availability Zone becoming unavailable.
Application cache data is stored in redundant and replicated Redis services, as part of the Data Connectors pipeline, before being uploaded to Brandwatch Consumer Research. Data Connectors services are hosted in the same GCP data centres as the rest of our infrastructure and are managed for us by Aiven Ltd.
Data is encrypted at rest via aes-256-gcm with a 32 bit key, and all connections to Aiven managed services are TLS encrypted.
Systems and services are monitored 24/7 from both inside and outside the VPC network.
Services are configured to remove themselves from the system and restart when they become unhealthy. We automatically scale service capacity in response to increasing load.
We monitor the uptime of all publicly accessible end-points and strive for 99.5% uptime. View more information on our other Service Level Agreements.
Brandwatch has a Senior Information Security Manager, a Lead Cloud Security Engineer, and a Senior System and Security Administrator. Our CTO also plays the role of CISO and represents Information Security at the board level. The Security Team as a whole hold regular meetings.
Our Policy for System Acquisition, Development, and Maintenance requires that Applications are created and maintained by our own internal teams, who are trained to avoid common vulnerabilities such as the OWASP Open Web Application Security Project Top 10.
We maintain segregated environments for SaaS – Live, Stage, Development. Office systems are completely separated from our application environment. Firewalls control traffic at ingress and egress points. VLans are used to create and enforce Trust zones within our network.
Brandwatch is an ISO 27001: 2013 certified organisation. Brandwatch maintains a Risk Treatment Plan for the identification, evaluation, and treatment of vulnerabilities and threats and their impact to its assets, services, and reputation. Any personal data that Brandwatch processes is only processed in accordance with the GDPR. All staff are made aware of their responsibilities regarding the security of information, including specific reference to personal data. Brandwatch has an overall information security policy and targeted security policies that provide guidance on specific topics.
For more information on our stance regarding Data Privacy and compliance with the GDPR, please see our Data Privacy FAQs.