Brandwatch information security

Vizia security policy

1. Your data

Data from external sources

Vizia displays data from third party APIs as part of the user-configured Apps in each Slide. Whilst it is possible for this to be done completely via the browser, so that Vizia never sees this data, by default this is accomplished server-side, to facilitate better performance via caching. Each Vizia app uses discrete Google Cloud Functions to collect data, which is then encrypted using AES256 and cached in Redis.

Google Sheets

Vizia uses the OAuth 2 protocol to collect Google Sheets data. Google Sheets data is used solely for display purposes as configured by the user. As part of the OAuth 2 process, users grant Vizia access to all Google Sheets that their account has access to. In Vizia itself, single sheets are linked to visualisations in order to chart key metrics, selected by the user as a range of values (rows/columns) from within the sheet.

Vizia requests the spreadsheets.readonly permission from Google in order to do this.

Google Analytics

Vizia uses the OAuth 2 protocol to collect Google Analytics data. Google Analytics data is used solely for display purposes as configured by the user. As part of the OAuth 2 process, users grant Vizia access to all Google Analytics data that their account has access to.

Vizia requests the analytics.readonly permission from Google in order to do this.

Data centers

Google Cloud Platform

All Vizia services and data are hosted in Google Cloud Platform (GCP) data centers in Belgium. Google’s data centers include safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection.

Linode

The services that provide Vizia’s “Hub” distribution functionality are hosted on Linode. Linode’s security policy is available here: https://www.linode.com/security

Network security

All Vizia servers are contained in a single Virtual Private Network (VPC). Instances inside the VPC are protected by firewall rules which deny all access to traffic from outside the network.

Internet requests are routed to hosts via Google Network Load Balancing services, which shield our back-ends from many types of denial of service attacks. These traffic entry points contain network intrusion detection & prevention, with active monitoring, filtering, and alerting.

All external connections to our application servers are TLS encrypted using proven, peer-reviewed and open source encryption algorithms. All public HTTP endpoints serve a Strict-Transport-Security response header which enforces this.

Host security

Operating Systems

Servers run Container-Optimized OS (COS) from Google. COS is optimized for running applications inside Docker containers, and has a smaller footprint reducing a server’s potential attack surface. COS includes a locked-down firewall for further protection, and is configured to automatically download weekly updates in the background.

Software Infrastructure

Vizia’s software infrastructure is comprised of multiple microservices running in a single Kubernetes cluster. This cluster and all the application containers running on it are distributed across three Availability Zones in order to provide highly available levels of service, even in the event of an entire Availability Zone becoming unavailable.

Data Storage

Application data is stored in redundant and replicated Redis and PostgreSQL services. These services are hosted in the same GCP data centres as the rest of our infrastructure and are managed for us by Aiven Ltd.

Data is encrypted at rest via aes-xts-plain64:sha256 with a 512-bit key, and all connections to Aiven managed services are TLS encrypted.

More info: https://help.aiven.io/security/cloud-security-overview

Monitoring

Systems and services are monitored 24/7 from both inside and outside the VPC network.

Services are configured to remove themselves from the system and restart when they become unhealthy, and we automatically scale service capacity in response to increasing load.

We monitor the uptime of all publicly accessible end-points and strive for 99.5% uptime.

2. Internal IT Security

Brandwatch has a Senior Information Security Manager, a Lead Cloud Security Engineer and a Senior System and Security Administrator. Our CTO also plays the role of CISO and represents Information Security at the board level. The Security Team as a whole have regular meetings.

Our Policy for System Acquisition, Development and Maintenance requires that Applications are created and maintained by our own internal teams, who are trained to avoid common vulnerabilities such as the OWASP Open Web Application Security Project Top 10.

We maintain segregated environments for SaaS – Live, Stage, Development. Office systems are completely separated from our application environment. Firewalls control traffic at ingress and egress points. VLans are used to create and enforce Trust zones within our network.

3. Certificates, compliance

Brandwatch is ISO 27001: 2013 certified organisation. Brandwatch maintains a Risk Treatment Plan for the identification, evaluation and treatment of vulnerabilities and threats and their impact to its assets, services and reputation. Any personal data that Brandwatch processes is only processed in accordance with the GDPR. All staff are made aware of their responsibilities regarding the security of information, and this includes specific reference to personal data. Brandwatch has an overall information security policy and targeted security policies that provide guidance on specific topics.

For more information on our stance regarding Data Privacy and compliance with the GDPR, please see our Data Privacy FAQs.

Crimson Hexagon has merged with Brandwatch. You’re in the right place!

From May 8th, all Crimson Hexagon products are now on the Brandwatch website. You’ll find them under ‘Products’ in the navigation. If you’re an existing customer and you want to know more, your account manager will be happy to help.