Security & Compliance

Our approach to security and compliance

At Brightworld.ai we take security and compliance very seriously. Our AI agents and systems are designed with "security by design" and "privacy by design" principles. This document describes how we protect your data and comply with relevant laws and regulations.

1. Data Processing & Storage

1.1 Data Location

• Default: BrightAdaptive AI determines the safest route for your data per request. European datacenters are used where possible.
• On-premise option: For clients with strict data location requirements we discuss the options per situation
• Cloud providers: We use ISO 27001 certified cloud providers within the EU

1.2 Data Encryption

• In transit: TLS 1.3 for all data transfers
• At rest: AES-256 encryption for all stored data
• Backups: Encrypted backups with separate key management

1.3 Data Retention

We retain your data only as long as necessary for service delivery or as legally required. Standard retention periods:

• Project data: duration of project + 7 years (statutory retention obligation)
• Logs: 90 days (security logs: 1 year)
• Backups: 30-day rolling backup

2. GDPR Compliance

2.1 Processing Roles

• Brightworld as processor: In most projects we act as processor on behalf of you (the controller)
• Data Processing Agreement: We conclude a standard Data Processing Agreement (DPA) in accordance with GDPR Article 28
• Sub-processors: All sub-processors (cloud providers, LLM providers) have a DPA and comply with GDPR

Privacy by Design

Our AI agents are designed with privacy principles:

• Data minimisation: only necessary data is processed
• Pseudonymisation where possible
• Access control on a need-to-know basis
• Automatic deletion of temporary data
• Audit logging of all data access

2.3 Data Subject Rights

We facilitate the exercise of data subject rights:

• Right of access, rectification and erasure
• Right to data portability
• Right to object
• Response time: within 30 days

3. LLM & AI-Specific Security

3.1 LLM Provider Selection

We only work with LLM providers that meet our security and privacy requirements:

• EU-based or with adequacy decision
• No training on customer data (zero data retention policies)
• SOC 2 Type II or ISO 27001 certification
• DPA in accordance with GDPR Article 28

3.2 Prompt Injection & Security

• Input sanitisation and validation
• Output filtering for sensitive data
• Rate limiting and abuse prevention
• Monitoring of abnormal behaviour

3.3 Model Governance

• Documentation of models and versions used
• Bias monitoring and mitigation
• Explainability where required
• Human-in-the-loop for critical decisions

4. Access Control & Identity Management

• Multi-factor authentication (MFA): mandatory for all access
• Role-based access control (RBAC): least privilege principle
• Single Sign-On (SSO): optionally available via SAML/OAuth
• Session management: automatic timeout after inactivity
• Audit logging: all access is logged and monitored

5. Incident Response & Business Continuity

5.1 Security Incident Response

In the event of a security incident we follow our incident response protocol:

• Detection: 24/7 monitoring and alerting
• Containment: immediate isolation of affected systems
• Notification: clients are informed within 24 hours in the event of a data breach
• Remediation: recovery and prevention of recurrence
• Reporting: incident report and lessons learned

5.2 Data Breach Notification

In accordance with GDPR Articles 33 and 34:

• Notification to the Dutch Data Protection Authority within 72 hours
• Notification to data subjects in case of high risk
• Documentation of all data breaches

5.3 Business Continuity

• Uptime SLA: 99.5% (optional: 99.9% with premium tier)
• Backups: daily, with 30-day retention
• Disaster recovery: RTO 4 hours, RPO 1 hour
• Redundancy: multi-AZ deployment for critical systems

6. Compliance & Certifications

6.1 Current Compliance

• AVG/GDPR: fully compliant, DPA available
• NIS2: in preparation (applicable from October 2024)
• AI Act: monitoring and preparation for new regulations

6.2 Certifications (roadmap)

We are working towards the following certifications:

• ISO 27001 (Information Security Management) — Q3 2026
• SOC 2 Type II — Q4 2026
• ISO 27701 (Privacy Information Management) — 2027

7. Third-Party & Supply Chain Security

All third parties with access to client data are carefully vetted:

• Due diligence on security posture
• Contractual security and privacy obligations
• Regular audits and reviews
• List of sub-processors available on request

8. Penetration Testing & Audits

• Penetration testing: annual testing by external security firm
• Vulnerability scanning: continuous automated scanning
• Code reviews: security review at every release
• Dependency scanning: automatic check for vulnerabilities in dependencies

9. Employee Security

• Background checks: for all employees with data access
• Security awareness training: mandatory for all employees
• Confidentiality agreements: NDA for all employees and contractors
• Access reviews: quarterly review of access rights

10. Transparency & Reporting

We believe in transparency about our security practices:

• Security updates: clients are proactively informed about relevant security updates
• Compliance reporting: available on request for enterprise clients
• Audit rights: clients have the right to audit (subject to reasonable conditions)
• Status page: real-time status of our systems