Data Connectors Security Policy

Human readable summary

Last updated: June 18, 2020

Brandwatch Data Connectors enables customers to import data from third party applications in order to conduct text analysis and use Brandwatch’s proprietary AI to get deeper insights on imported data. This page describes the security, IT, and privacy standards in place for Data Connectors.

1. Your data

Google Sheets
Data Connectors uses the OAuth 2 protocol to collect Google Sheets data. Each row in the spreadsheet is processed and uploaded into Brandwatch Consumer Research as an item of private content.

As part of the OAuth 2 process, users grant Data Connectors access to all Google Sheets that their account has access to. In Brandwatch Consumer Research itself, each item of private content is accessible via Boolean queries, filters, among other features. It can be used in the same way as social content, e.g. with sentiment detection, topic extraction, and all the other functionality of Brandwatch Consumer Research.

Data Connectors requests the spreadsheets.readonly permission from Google in order to do this.

2. Information security

This section describes Data Centers for the Data Connectors services only. Further information on Information Security for all Brandwatch products and services is available on the Information Security and Data Privacy FAQs pages on this website.

Data centers

Google Cloud Platform

The Data Connectors services are hosted in Google Cloud Platform (GCP) data centers in Belgium. Google’s data centers include safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor also features laser beam intrusion detection.

Network security

All Data Connectors servers are contained in a single Virtual Private Network (VPC). Instances inside the VPC are protected by firewall rules which deny all access to traffic from outside the network.

Internet requests are routed to hosts via Google Network Load Balancing services, which shield our back-ends from many types of denial of service attacks. These traffic entry points contain network intrusion detection & prevention, with active monitoring, filtering, and alerting.

All external connections to our application servers are TLS encrypted using proven, peer-reviewed, and open source encryption algorithms. All public HTTP endpoints serve a Strict-Transport-Security response header which enforces this.

Host security

Operating systems

Servers run Container-Optimized OS (COS) from Google. COS is optimized for running applications inside Docker containers, and has a smaller footprint reducing a server’s potential attack surface. COS includes a locked-down firewall for further protection, and is configured to automatically download weekly updates in the background.

Software infrastructure

The Data Connectors software infrastructure comprises multiple microservices running in a single Kubernetes cluster. This cluster and all the application containers running on it are distributed across three Availability Zones in order to provide highly available levels of service, even in the event of an entire Availability Zone becoming unavailable.

Data storage

Application cache data is stored in redundant and replicated Redis services, as part of the Data Connectors pipeline, before being uploaded to Brandwatch Consumer Research. Data Connectors services are hosted in the same GCP data centres as the rest of our infrastructure and are managed for us by Aiven Ltd.

Data is encrypted at rest via aes-256-gcm with a 32 bit key, and all connections to Aiven managed services are TLS encrypted.

More info: https://help.aiven.io/security/cloud-security-overview

Monitoring

Systems and services are monitored 24/7 from both inside and outside the VPC network.

Services are configured to remove themselves from the system and restart when they become unhealthy. We automatically scale service capacity in response to increasing load.

We monitor the uptime of all publicly accessible end-points and strive for 99.5% uptime. View more information on our other Service Level Agreements.

3. Internal IT security

Brandwatch has a Senior Information Security Manager, a Lead Cloud Security Engineer, and a Senior System and Security Administrator. Our CTO also plays the role of CISO and represents Information Security at the board level. The Security Team as a whole hold regular meetings.

Our Policy for System Acquisition, Development, and Maintenance requires that Applications are created and maintained by our own internal teams, who are trained to avoid common vulnerabilities such as the OWASP Open Web Application Security Project Top 10.

We maintain segregated environments for SaaS – Live, Stage, Development. Office systems are completely separated from our application environment. Firewalls control traffic at ingress and egress points. VLans are used to create and enforce Trust zones within our network.

4. Certificates, compliance

Brandwatch is an ISO 27001: 2013 certified organisation. Brandwatch maintains a Risk Treatment Plan for the identification, evaluation, and treatment of vulnerabilities and threats and their impact to its assets, services, and reputation. Any personal data that Brandwatch processes is only processed in accordance with the GDPR. All staff are made aware of their responsibilities regarding the security of information, including specific reference to personal data. Brandwatch has an overall information security policy and targeted security policies that provide guidance on specific topics.

For more information on our stance regarding Data Privacy and compliance with the GDPR, please see our Data Privacy FAQs.

Crimson Hexagon has merged with Brandwatch. You’re in the right place!

From May 8th, all Crimson Hexagon products are now on the Brandwatch website. You’ll find them under ‘Products’ in the navigation. If you’re an existing customer and you want to know more, your account manager will be happy to help.