SOC 2
SOC 2 Type 1
Bryllyant is a SOC 2 Type I compliant company, which means that we have implemented controls to protect the security, confidentiality, and privacy of any data with which our applications interact.
Learn More >
GOVERNANCE
Least Privilege
Foundational to our security practices is the principle of least privilege. This guarantees that users are only granted the level of access absolutely required to perform their job functions.
Data Management
We encrypt all data at rest so that neither physical nor logical access to the database is enough to read sensitive information. We also use TLS 1.2 or higher and HSTS (HTTP Strict Transport Security) to protect data in transit. Finally, we encrypt all application secrets and store them in AWS Secrets Manager.
PRODUCT SECURITY
Penetration Testing
We perform penetration tests of our applications and our production network at least once a year. If any major changes are made to production systems, we will do additional testing. During these tests, our source code is made fully available to the testers to ensure full coverage.
SAST and Dependency Scanning
Vulnerability scans, such as SAST (static analysis security testing) scans and dependency scans, are conducted at least once a quarter on external environments. When these scans are performed, interior scans are also run against test environments that mirror the production environments. These scans protect our software on an ongoing basis and prevent malware from entering our systems.
ENTERPRISE SECURITY
Secure Remote Access
All Bryllyant employees are required to use a VPN provided by the company and configured for multi-factor authentication (MFA) when transmitting sensitive data. If connecting to an outside network, employees must first have an up-to-date software firewall configured on their computer.
Security Education
Both Bryllyant employees and third-parties with access to production systems must complete security awareness training when hired, and each subsequent year on an annual basis. When security policies or procedures are updated, employees will be informed, and they must complete any related training.
Identity and Access Management
We leverage Google Workspace to manage user identities and access levels. Employee access to applications and systems is based on the employee’s role, and roles are revoked upon termination of employment.
