Brandwatch information security

The Brandwatch Security Programme

1. Programme Overview

Brandwatch maintains a comprehensive security programme to support regulatory compliance, preserve customer trust, and safeguard the security, privacy, confidentiality, integrity, and availability of systems processing confidential information. The Brandwatch security team is staffed by dedicated professionals reporting directly to executive management and our board of directors. Software development processes and outputs are ISO 27001:2013 certified and we engage a third party to audit our adherence to these standards at least annually. Our current ISO certificate is available upon request.

Brandwatch provides an integrated suite of products and services that includes our flagship consumer research offering (BCR), a marketing reporting and command center solution (Vizia), an audience analysis platform (Audiences), and a real time survey product (Qriously). Brandwatch also operates a standalone content marketing platform called BuzzSumo.

All Brandwatch employees receive information about our policies and procedures as they relate to security and data privacy. Brandwatch employees must review and sign an Acceptable Use Policy and undergo security and data privacy training upon hire and at least annually thereafter. Brandwatch performs background and/or reference checks for all new hires according to local laws and regulations as a condition of hire.

2. Data Centres and Third Party Hosting

The different components of the Brandwatch product suite are hosted across a variety of services in order to take advantage of the benefits of different classes of infrastructure and ensure continuous, uninterrupted availability of the platform. Each of these service providers are held to the same standards we hold ourselves, and we assess their security practices annually.

We make extensive use of Amazon Web Services (AWS). For BCR, raw data ingestion, indexing, analysis, and storage takes place in AWS in the us-east-1 region (Northern Virginia, USA). Qriously uses resources in us-east-1, as well as in eu-west-2 (London, UK). AWS is certified to a wide range of compliance and security standards, available for review here.

The BCR frontend applications and Vizia components are hosted in Google Cloud Platform (GCP) in the europe-west1 region (St. Ghislain, Belgium). As with AWS, GCP has a variety of certifications, viewable here.

Analysis results and customer metadata are stored in colocation facilities in the UK. The primary data centre is in Hayes, UK, with services provided by Virtus DC. The backup data centre is in Maidstone, UK, with services provided by Custodian DC. Both data centre providers manage Tier III or better facilities with 24/7 on-site security personnel and extensive physical security controls.

We supplement the above services with small presences in Linode and OVH.

3. Access Control and Data Protection

Platform access control

We have implemented strict user roles in our products to allow our customers control and flexibility over what features their users can access. We believe it is necessary to give all of our customers this level of flexibility, as the requirements for access control are different in every organization.

Users of the Brandwatch Platform with the Admin user type can manage all user roles and permissions for their teams. For more detailed instruction regarding user permissions within our applications, please refer to the Brandwatch Help Center.

Internal access to customer data

We limit customer instance access to only Brandwatch Group employees who require access to service a given customer account, such as account managers and customer support personnel. We audit all access monthly, quarterly, or annually depending on the level of access and the sensitivity of the data involved.

Remote access to server infrastructure is limited to engineering personnel with a demonstrated business need for access. Access requests are ticketed, reviewed, and approved by senior management and the security team, and then reviewed quarterly. In order to access systems containing customer information, Brandwatch employees must authenticate via a VPN, and provide a physical access token as a second factor.

Physical access control

As mentioned, Brandwatch does not rely on physical locations to process customer data. However, we have implemented a series of controls to manage physical access to our offices. Where possible, our offices have front desk personnel assigned to monitor access. All visitors must check in and out, and be accompanied by a Brandwatch employee throughout their visit. All Brandwatch employees have keycards to access offices. Where front desk personnel are unavailable, entry doors to office space are kept locked.

Sensitive equipment and documents are kept in locked rooms within the office perimeter. Where necessary, we use fireproof safes for additional secure storage in these areas. Only members of IT staff have access to locked server rooms.

Separation of platform data

The Brandwatch Group’s products are multi-tenant SaaS applications. We logically separate customer data through database design, coding standards, and thorough code reviews. Each user and piece of data within the products includes a unique identifier. We bind every user session to a user identifier, which is then used to retrieve data. Each user is granted a set of permissions, which then dictates access within the product(s). We never use customer data during our development or testing processes. The production environment is physically segregated from all non-production environments.

Encryption

We encrypt all Brandwatch Group issued employee computers with the full disk encryption offered by the operating system used. Windows machines use Bitlocker, Apple devices use Filevault 2, and Linux devices use dm-crypt with LUKS.

We encrypt all customer uploaded data and login credentials in transit. All communication with the Brandwatch Group’s products occurs over HTTPS. The products support TLS 1.1, 1.2, and 1.3 protocols and use TLS 1.2 by default for all data in transit over HTTPS for browsers that support it, with 1.1 available as a fallback for some legacy customer implementations.

Custom uploaded data and related backups are encrypted at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3). Physical backup tapes from our data centres are encrypted with AES-256.

Data retention and deletion

Unless otherwise noted in your contract, if you terminate your contract with Brandwatch, we will retain your queries, mentions, and Vizia data for 30 days. After the 30-day window, with the exception of any information that we are legally required to retain, an automated process deletes or anonymizes all data in the platform related to the expired contract.

Single Sign-on, Password Security, and MFA

The Brandwatch Group offers Single Sign-on (SSO) via SAML 2.0 and Google Authentication as a premium feature to certain customers. Both types of SSO offer configuration settings to authenticate via SSO only, or the ability to authenticate via SSO or standard email and password authentication. At the present time, we do not offer account provisioning via SSO. All accounts must be created through the administration area of each product.

Passwords are one-way hashed and salted using bcrypt. Our minimum requirement for passwords is 8 characters, 1 numeric and special character. The platform features optional Automatic Password Expiry. With Automatic Password Expiry enabled, users will be required to change their password every 90 days. Users are restricted from accessing the platform if they fail to enter the correct password 10 times in a row. Brandwatch employees must use a password manager and generate unique, sufficiently complex passwords for all services accessed. We do not currently place any further restrictions on passwords as recent guidelines (see: https://github.com/usnistgov/800-63-3) advise against overly complex requirements.

For service accounts, we do not generally use passwords and instead rely on other methods for access (SSH keys, MFA, hardware tokens). We require the use of multi-factor authentication for all Brandwatch Group employee user accounts. We do not currently offer MFA for end users.

4. Device and Network Security

Endpoint security

Windows machines are provisioned with Windows Defender. For Macs we use a combination of Mac OS’s built-in anti-malware capabilities as well as application allowlists and binary authorization and monitoring. Brandwatch employees do not receive privileged access to their machines unless there is a clear business need for them to have it. Employees with elevated access must commit to additional security requirements in order to receive this level of access.

Devices are monitored and managed using a mobile device management (MDM) system. All company laptops and phones may be remotely wiped in the event they are lost or stolen. Brandwatch employee devices all use the native full disk encryption available for their operating system: FileVault for Mac OS, BitLocker for Windows 10, and LUKS for Linux.

Company wireless networks do not provide access to sensitive systems. Access to wireless is controlled via RADIUS.

Server and network security

Brandwatch servers are managed via configuration management software, and changes to configuration standards are monitored and audited periodically. Physical servers in our colocation centres are hardened according to a security checklist during provisioning. Cloud instances are monitored using cloud monitoring tools designed to detect anomalous activity and deviation from standards.

We use honeypots and other network monitoring tools to detect and prevent intrusion or other unwanted behavior. Server logs are shipped to a central logging service and managed by a dedicated monitoring team. Logs are retained for 2 to 6 months depending on their purpose. Log files contain a wide variety of information, including but not limited to privilege escalations, actions taken as root, and user access patterns.

5. Business Continuity, Disaster Recovery, and SLAs

Brandwatch does not rely on physical locations to provide services, therefore our exposure to most threats of disaster is minimal. However, we do have an extensive business continuity policy and incident response procedure. This policy includes established roles for incident response and a dedicated emergency response team made up of high-level employees from across the organization and our geographic locations.

All critical infrastructure components are redundant. For cloud services, we load balance our servers across multiple availability zones and our databases live in multiple availability zones. Cloud data backups are stored in separate doomsday vault accounts. For physical infrastructure, we maintain two data centers and perform daily backups. Weekly backups are also taken and stored by a third party service provider in the form of encrypted backup tapes.

Our engineering teams maintain documented standard operating procedures and runbooks to address a variety of scenarios. Engineering teams run backup restoration tests for critical services at least annually. We have also implemented an on-call rotation to ensure 24/7 coverage of our systems in the event of an incident.

For more information on our uptime commitments, please review our Service Level Agreement document.

Recovery Point Objectives (RPO)

Brandwatch Group systems have an RPO of 24 hours maximum, meaning that at the worst case, no more than 24 hours of data are lost and valid backups are taken at least every 24 hours. Specific products may have shorter duration RPOs depending on backup practice and/or technology choice. RPO may be as little as a few seconds in the case of some critical systems.

Recovery Time Objectives (RTO)

The majority of Brandwatch Group products have an RTO of less than one business day. There are two potential exceptions to this RTO:

  • Ongoing and critical failure of any of our critical services vendors. It could take up to a month to await system recovery or switch to an alternative vendor, however, contingency plans in place can bring the business back to an operational status in 24 to 48 hours in the absence of one of those systems.
  • Complete loss of primary social media archives. In the event of such a failure, minimum functionality could return almost immediately, with coverage expanding rapidly. However, given the amount of data involved in rebuilding these archives, full recovery could take days, if not weeks.

6. Security in Development

Quality control and change management

We follow a strict quality protocol during the development, testing, and deployment of our software updates. During the design phase of all Brandwatch Group features, stakeholders from various departments examine detailed test cases to make sure that the feature will meet the necessary requirements. We also incorporate user testing whenever possible to ensure that our product most accurately meets the needs of our customers.

All code released to production has been reviewed and tested by our Quality Assurance teams and by senior engineers who did not directly work on the code in question. We use git for version control, and GitHub for source code hosting. All releases follow a specific protocol and all actions taken during a release are logged to GitHub and relevant internal documentation channels.

Engineers are provided security training and documentation on a regular basis, including periodic refresher training on the OWASP Top 10.

Vulnerability and penetration testing

We perform vulnerability testing monthly, and engage a third party to perform intensive manual and automated penetration and web application testing annually. Our most recent test results are available on request.

7. Vendor and Contractor Security

Our security, IT, and privacy teams review all vendors prior to purchasing software or services, and annually or upon renewal thereafter. Reviews include an assessment against security standards, data handling and privacy requirements, and suitability for business use.

Brandwatch uses contract employees for two primary purposes: foreign language social media support and software development services. In the former case, contractors are required when a customer requests data or reports in languages not directly supported by Brandwatch employees. In the latter case, the Brandwatch Group has maintained long-term relationships with small groups of contract software developers in Argentina and Serbia. These contractors provide feature development support and are fully integrated into our secure development lifecycle. All contractors sign non-disclosure agreements and our acceptable use policy. Contractor access to customer data is limited to the minimum access required to perform their duties.

8. Data Breach Notification

The Brandwatch Group commits to notifying affected entities without undue delay and in any event within 36 hours after becoming aware of a data breach (as defined in Data Protection Legislation requirements).

9. Compliance

For details regarding how we fulfill our data privacy, legal, and regulatory compliance obligations, please visit the Legal and Privacy sections of this website.

10. Vulnerability Disclosure

We do not have an official bug bounty programme (nor do we expect to create one in the near future). This means we do not have standing financial or personnel resources dedicated to handling unsolicited bug reports. That said, we are happy to accept and triage submissions to [email protected], and we may choose to provide compensation for these submissions where appropriate. Vulnerabilities found are not confidential, but we would ask that you not publicly disclose the things you find without giving us time to remedy any issues. We will do our best to provide valid findings with appropriate compensation. However, please keep in mind that our assessment of what’s appropriate may differ from yours, and we unfortunately cannot negotiate reward amounts.

11. Feedback

We capture customer concerns and feedback within all of our products using Intercom (www.intercom.com). You can get in touch with the Brandwatch Product Support team via the Brandwatch Help Center (support.brandwatch.com). To access either Intercom or the Brandwatch Help Center, you must be logged in to the product. Customers may also contact their Customer Success Manager directly.

If you would like additional information on the features and functionality of Brandwatch, please reach out to our Sales or Services teams. For specific security, privacy, or compliance related issues, please contact [email protected] or [email protected].

Crimson Hexagon has merged with Brandwatch. You’re in the right place!

From May 8th, all Crimson Hexagon products are now on the Brandwatch website. You’ll find them under ‘Products’ in the navigation. If you’re an existing customer and you want to know more, your account manager will be happy to help.