What’s in this document
The purpose of this document is to set out for customers of the Brandwatch group of companies, including Crimson Hexagon (“Brandwatch Group”), the technical and organisational security measures that the Brandwatch Group uses in its approach to security. We take your trust and security very seriously. If you would like additional information on the features and functionality of the Brandwatch Group products, please reach out to our Sales or Services teams. For security, privacy, or compliance related issues, please contact email@example.com or firstname.lastname@example.org.
Who we are
The two leading social intelligence companies have come together to create new artificial intelligence-driven products to help every decision maker better understand their consumers. Our new offering will join Crimson Hexagon’s artificial intelligence and historical data index with Brandwatch Analytics’ data handling and flexible user interface to create immense value for customers. By innovating at the cross section of brand, market, and consumer intelligence, we will deliver the insights our customers need most.
Our security practices
The Brandwatch Group takes the security of your information very seriously. We maintain a comprehensive security program to support regulatory compliance, preserve customer trust, and maintain the security, privacy, confidentiality, integrity, and availability of systems processing confidential information.
Our system infrastructure is only accessible by select IT and Engineering Operations team members and is monitored in real-time for system performance, issues, and errors.
Data centers and third party hosting
Brandwatch Analytics uses a co-location model. Brandwatch staff manage our dedicated systems which are hosted in a Tier 3-rated third-party data center, allowing us to maintain high application availability and physical security. This is supplemented by the use of public cloud services for selected business functions and some application components.
The majority of Vizia services and data are hosted in Google Cloud Platform (GCP) data centers in Belgium. Google’s data centers include safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection. Read more about Vizia’s security practices.
The Crimson Hexagon Platform uses Amazon Web Services (AWS) as its primary third-party hosting provider. We chose to work with AWS because of their focus on the principles of availability, security, integrity, and privacy. For more information on AWS security and compliance, visit https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/ respectively.
Platform access control
We have implemented strict user roles in our products to allow our customers control and flexibility over what features their users can access. We believe it is necessary to give all of our customers this level of flexibility, as the requirements for access control are different in every organization.
Users in the Crimson Hexagon Platform with the Invite Users permission can manage all user roles and permissions in the Team Admin section. For more detailed instruction regarding user permissions within the Crimson Hexagon platform, please refer to our Managing User Permissions article in our Help Center. If you do not currently have access to our Platform, you may request a copy of this article.
Users of the Brandwatch Platform with the Admin user type can manage all user roles and permissions for their teams. For more detailed instruction regarding user permissions within the Analytics, please refer to the Brandwatch Help Center.
Internal access to customer data
We limit customer instance access to only Brandwatch Group employees who require access to service a given customer account. We audit this access monthly, quarterly, or annually depending on the level of access and the sensitivity of the data involved.
Separation of platform data
We never use customer data during our development or testing processes. The production environment is physically segregated from other instances and does not have any connections to non-production environments.
The Brandwatch Group’s products are multi-tenant SaaS applications. We logically separate customer data through our database design, coding standards, and thorough code reviews. Each user and piece of data within the products includes a unique identifier. We bind every user session to a user identifier, which is then used to retrieve data. Each user is granted a set of permissions, which then dictates access within the product(s).
We transmit all communication with the Brandwatch Group’s products over HTTPS. The products support TLS 1.1 and 1.2 protocols and use TLS 1.2 by default for all data in transit over HTTPS for browsers that support it.
Encryption of internal devices and customer data
We encrypt all Brandwatch Group issued employee computers to the standard of AES-XTS mode of AES with 128 bit blocks and a 256 bit key or AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key.
We encrypt all customer uploaded data and login credentials in transit. We use TLS with AES-128 encryption with ECDHE key exchange signed with GCM/SHA256. For a more detailed analysis of our encryption program, please view the Crimson Hexagon SSL server report and the Brandwatch SSL server report.
Redundancy and load balancing
All critical infrastructure components are redundant. For cloud services, we load balance our servers across multiple availability zones and our databases live in multiple availability zones.
For physical infrastructure, we maintain two data centers and perform daily backups. Weekly backups are also taken and stored by a third party service provider in the form of encrypted backup tapes.
Data retention and deletion
Unless otherwise noted in your contract, if you terminate your contract with Brandwatch, we will retain your query, mentions, and Vizia data for 30 days. After the 30-day window, with the exception of any information that we are legally required to retain, we begin the deletion process and all data is removed from our systems.
Unless otherwise noted in your contract, if you terminate your contract with Crimson Hexagon, we will retain your monitor setup and results data for 60 days. After the 60-day window, with the exception of any information that we are legally required to retain, we begin the deletion process and all customer-linked data is removed from our systems.
Our single-sign on option
The Brandwatch Group offers Single Sign-on (SSO) via SAML 2.0 and Google Authentication as a premium feature to certain customers. Both types of SSO offer configuration settings to authenticate via SSO only, or the ability to authenticate via SSO or standard email and password authentication.
At the present time, we do not offer account provisioning via SSO. All accounts must be created through the administration area of each product.
Credential storage in the platform
Our passwords are one-way hashed and salted with random 128-bit values.
We require the use of multi-factor authentication for all Brandwatch Group employee user accounts. Multi-factor authentication is optionally available for all customers using the Crimson Hexagon Platform.
Quality control and change management
We follow a strict quality protocol during the development, testing, and deployment of our software updates. During the design phase of all Brandwatch Group features, stakeholders from various departments examine detailed test cases to make sure that the feature will meet the necessary requirements. We also incorporate user testing whenever possible to ensure that our product most accurately meets the needs of our customers.
Our change management process begins when project teams are assigned. Change management includes development, quality assurance, peer review, and management approval. A developer creates and tests code on a local environment. A member of the Quality Assurance (QA) team reviews and tests all developer work. Once a change is code complete, the developer creates a pull request to our master branch and schedules their code to be reviewed by a peer who has not worked on any part of the code.
Once the change is reviewed and QA has completed testing and provided approval, we slate the code for release by merging it to master. Our QA team reviews the master branch by running a series of automated and manual tests to ensure that the code is ready for release. Our standard, scheduled releases do not involve any Platform down time.
The release process includes several members of our Engineering team, who monitor the progress of the release. Release managers run through a predefined script of actions to make sure that the release runs smoothly. The release manager deploys the code to a staging environment and QA runs through testing procedures in order to ensure stability. Once this testing is complete, code is deployed to production and the release is complete.
Technology update policy
The Brandwatch Group has implemented a company-wide system to manage patches, fixes, and updates to all proprietary and third-party computer systems, devices, appliances, operating systems, applications, libraries, and software. This consists of clearly assigned specific responsibilities. All Engineering Infrastructure and IT personnel are trained in system administration, including patch management and system update techniques. The elements of this policy are used in conjunction with vulnerability scanning and penetration testing to minimize risk to data security, privacy, integrity, and availability.
Our risk management and incident response policies
Risk and vulnerability reports originate from many different sources, including customer support (see Customer feedback below), DR/BC drills (see Disaster recovery and business continuity below), regular vulnerability scans (see Regular vulnerability scans below), and penetration tests (see Third-party penetration tests below).
The Security team prioritizes and tracks all reported issues to completion using a leading issue tracking platform. We treat customer issues as top priority and the security of customer data is of the utmost importance to us.
Our Engineering Operations team monitors system performance issues and errors using industry gold standard tools. Any abnormalities are detected by our alerting systems and our Engineering Operations team is made aware immediately.
In the case of a serious incident (loss of service, major platform bug, data breach, etc.), we will notify customers immediately. We will provide messages via Intercom, email, status.crimsonhexagon.com, status.brandwatch.com and/or directly within the Platform. After the incident has been properly analyzed and prioritized, we will follow up with more details about the issue, our expected timeline to resolution, and what corrective and preventative measures we are taking.
To stay informed on platform updates, we encourage all users to sign up to receive service alerts from the product(s) they use – status.crimsonhexagon.com and status.brandwatch.com.
Regular vulnerability scans
We perform vulnerability scans quarterly and the results of these scans are available upon request. Any issues discovered during one of these scheduled scans are evaluated for likelihood of exploitation and risk severity. We prioritize these issues and mitigation work is scheduled with the appropriate team(s).
Third-party penetration tests
Crimson Hexagon and Brandwatch engage third parties to conduct annual penetration testing. All networks, including test and production environments, are scanned quarterly using trusted third party tools. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
Disaster recovery and business continuity
The principal objective of the disaster recovery program is to develop, test, and document a well-structured and easily understood plan that will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency. An event of this magnitude might interrupt information systems and business operations and may potentially cause loss, destruction of, or damage to data including personal data. Additional objectives include the following:
- Ensuring that all employees fully understand their duties in implementing such a plan
- Ensuring that operational policies are adhered to within all planned activities
- Ensuring that proposed contingency arrangements are cost-effective
- Considering the implications on all company sites
- Disaster recovery capabilities accommodate requirements of customers, vendors, and others
As part of our risk management program, we conduct annual disaster response and business continuity drills. These drills allow us to identify weaknesses and single points of failure that we can properly prioritize and address. Our Security Stakeholders group meets monthly to monitor identified issues as we work towards resolution.
We capture customer concerns and feedback within all of our products using Intercom (www.intercom.com). The Crimson Hexagon Product Support team is always reachable via the Crimson Hexagon Help Center (help.crimsonhexagon.com). You can be in touch with the Brandwatch Product Support team via the Brandwatch Help Center (support.brandwatch.com). To access either help center, you must be logged in to the corresponding platform.
For details regarding our data privacy compliance, please visit https://www.brandwatch.com/legal/data-privacy-faqs/.