Information security

At Brevio.com, your privacy and data security is one of our focus areas. We will always process your personal information:

  • With confidentiality.
  • Correctly, according to separate statements.
  • Legally, in accordance with applicable laws and regulations on privacy and information security.


Introduction

Brevio is a web application developed and operated by Brevio AS. The system is designed for approximate 100% uptime and scalable capacity (both horizontally and vertically).

The solution uses Heroku as its application platform, which contributes with redundancy, load balancing, and elastic scaling. All data is stored in a PostgreSQL database provided as a service by Heroku where they guarantee uptime of at least 99.9% with continuous logical and physical backup.

All data traffic between the user's browser and the application is encrypted, and all operations against API endpoints are protected with CSRF tokens.

Security assessments and compliance (Data centers and application)

Brevio's physical infrastructure is based on Amazon's (AWS) secure data centers and technology. Amazon continuously manages risk and reviews periodic reviews to ensure compliance with industry standards.

The data center used by Brevio is located in Frankfurt (Germany) and is accredited by:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI level 1
  • FISMA Moderat
  • Sarbanes-Oxley (SOX)

In addition to accreditation of data centers, control assessments of the operating and control environment at Brevio AS have been carried out by an independent party.

Penetration testing and vulnerability assessments

In addition to penetration testing and vulnerability assessments performed by Heroku & Amazon, Brevio conducts annual security testing of the application. The testing is performed by independent and reputable security consulting firms. Findings from security tests are reviewed, risk assessed and corrected.

Physical security

Brevio uses ISO 27001 and FISMA-certified data centers at Amazon. Amazon has many years of experience in designing, building and operating large data centers. AWS data centers are located in unspecified locations, and critical parts of the facility have comprehensive protection, including military-grade perimeter control, and other natural border protection.

Physical access is strictly controlled both on an area basis and the building's entry points. This includes, professionals video surveillance, modern detection systems and other electronic means. Authorized personnel must pass two-factor authentication three times to access data center floors. All visitors and contractors must present identification and are logged in and continuously escorted by authorized personnel.

Amazon only offers data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these rights, his or her access is immediately revoked, even if they are still employed by Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is routinely logged and audited.

For questions about security in general, or individual cases in particular - contact us at [email protected].