Security

Last updated: February 23, 2026

As a small team, we operate with a lean access model - minimizing the number of people with access to production systems. We take a practical approach to security: strong defaults, minimal data collection, and honest transparency about where we are and where we are headed.

1. Infrastructure

BrighterWorks runs on a dedicated server hosted by Hetzner in Helsinki, Finland. Not a shared VM - a dedicated machine that only runs our services. Core application hosting, database storage, analytics, and error tracking all operate within the European Union.

If you choose to sign in via Google or Microsoft, authentication data is processed by those providers under their own security practices. See our Privacy Policy for details.

Storage currently uses ZFS in a mirrored configuration for redundancy and data integrity.

2. Encryption

  • In transit - All connections use TLS 1.2 or higher. Certificates are issued by Let's Encrypt and automatically renewed.
  • At rest - Data is encrypted at the storage level via ZFS and Supabase encrypted storage.

3. Data Isolation

BrighterWorks is multi-tenant. Each Workspace's data is logically separated at the database level using PostgreSQL Row Level Security (RLS). Every query is scoped to the requesting user's Workspace. Users in one Workspace cannot see, search, or access content from another Workspace.

4. Authentication

We support passwordless authentication - magic links and one-time passwords sent to your email - as well as OAuth sign-in via Google and Microsoft. There are no passwords stored in our system to steal, leak, or brute-force.

Sessions are managed with secure, SameSite cookies. Shared or group accounts are not permitted. Each user has their own account tied to their email address.

5. Privacy-First Analytics

We use Plausible CE for analytics, self-hosted on our own infrastructure in the EU. Plausible uses no cookies and counts unique visitors using a daily-rotating hash that is never stored. We can see aggregated page view counts - we cannot identify or track individual users.

For error tracking, we use GlitchTip, also self-hosted on our infrastructure. Error reports stay on our servers and are not shared with any external party.

6. Access Control

Access to production systems follows the principle of least privilege. Within Workspaces, BrighterWorks supports role-based access control with distinct admin, member, and viewer roles. Admins control who can join their Workspace and what permissions members have.

7. Application Security

  • Content Security Policy (CSP) headers to prevent XSS attacks
  • CSRF protection on all form submissions
  • Input validation and output encoding throughout
  • Dependency updates and security audit monitoring
  • Separate development, staging, and production environments
  • Code review before deployment

8. Backups

We perform regular automated backups of all data. Backups are encrypted and stored separately from the primary database. We periodically test backup restoration to verify data integrity.

9. Incident Response

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (Article 33 GDPR).

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay (Article 34 GDPR).

If you believe you have discovered a security issue, please contact us immediately at security@brighterworks.ai.

10. What We're Working On

We believe in being honest about where we are. Here is what we have not done yet but plan to:

  • SOC 2 certification - Not yet achieved. We plan to pursue this as we grow. In the interim, we implement controls aligned with industry best practices.
  • Formal penetration testing - Not yet conducted by a third party. We rely on code review, static analysis, and responsible disclosure. Third-party testing is planned.
  • Dedicated security role - As a small team, security responsibilities are currently shared. We maintain a security improvement roadmap and regularly update dependencies.

We will update this section as we make progress. Check back or ask us directly.

11. Shared Responsibility

Security is a shared effort across multiple layers:

  • Infrastructure provider (Hetzner) - Physical security, power, network availability, and hardware for the dedicated server.
  • BrighterWorks - Application security, network configuration, data isolation (RLS), encryption, access control to production systems, patching, monitoring, and incident response.
  • Workspace Admins - Inviting the right people, removing those who should no longer have access, assigning appropriate roles, and moderating content within their Workspace.
  • Individual Users - Keeping your email account secure (since email controls access to BrighterWorks), maintaining device security, and being mindful of what you share.

12. Report a Vulnerability

If you discover a security vulnerability, please report it responsibly. Email security@brighterworks.ai with details of the issue. We ask that you:

  • Give us reasonable time to investigate and fix the issue before disclosing publicly
  • Do not access or modify other users' data during your research
  • Act in good faith

We appreciate security researchers who help us keep BrighterWorks safe.