Security by Design

Security & Compliance

At Brightworld.ai we take security and compliance very seriously. Our AI agents and systems are designed with "security by design" and "privacy by design" principles.

1. Data Processing & Storage

Data Location

  • All data is processed within European datacenters, unless otherwise agreed with the client
  • On-premise option available for strict requirements
  • ISO 27001 certified cloud providers within the EU

Data Encryption

  • TLS 1.3 — all data transfers
  • AES-256 — all stored data
  • Encrypted backups with separate key management

Data Retention

  • Project data: duration of project + 7 years (statutory retention)
  • Logs: 90 days (security logs: 1 year)
  • Backups: 30-day rolling backup

2. GDPR Compliance

Processing Roles

  • Brightworld acts as processor in accordance with GDPR Article 28
  • Standard Data Processing Agreement (DPA) available
  • All sub-processors have a DPA and comply with GDPR

Privacy by Design

  • Data minimisation: only necessary data
  • Pseudonymisation where possible
  • Access control on a need-to-know basis
  • Automatic deletion of temporary data

Data Subject Rights

  • Right of access, rectification and erasure
  • Right to data portability
  • Response time: within 30 days

3. LLM & AI-Specific Security

LLM Provider Selection

  • EU-based or with adequacy decision
  • No training on customer data (zero data retention)
  • SOC 2 Type II or ISO 27001 certification

Prompt Injection & Security

  • Input sanitisation and validation
  • Output filtering for sensitive data
  • Rate limiting and abuse prevention

Model Governance

  • Documentation of models and versions used
  • Bias monitoring and mitigation
  • Human-in-the-loop for critical decisions

4. Access Control & Identity Management

  • Multi-factor authentication (MFA) mandatory for all access
  • Role-based access control (RBAC) — least privilege principle
  • Single Sign-On (SSO) — available via SAML/OAuth
  • Automatic timeout after inactivity
  • All access is logged and monitored

5. Incident Response & Business Continuity

Security Incident Response

  • 24/7 monitoring and alerting
  • Immediate isolation of affected systems
  • Clients informed within 24 hours in case of data breach
  • Recovery and prevention of recurrence

Business Continuity

  • Uptime SLA: 99.5% (optional 99.9% premium)
  • Daily backups with 30-day retention
  • Disaster recovery: RTO 4h, RPO 1h
  • Multi-AZ deployment for critical systems

6. Compliance & Certifications

Current Compliance

  • AVG/GDPR — fully compliant, DPA available
  • NIS2 — in preparation
  • AI Act — monitoring and preparation

Certifications (roadmap)

  • ISO 27001 (Information Security Management) — Q3 2026
  • SOC 2 Type II — Q4 2026
  • ISO 27701 (Privacy Information Management) — 2027

7. Third-Party & Supply Chain Security

  • Due diligence on security posture
  • Contractual security and privacy obligations
  • Regular audits and reviews
  • List of sub-processors available on request

8. Penetration Testing & Audits

  • Annual penetration testing by external security firm
  • Continuous automated vulnerability scanning
  • Security review at every release
  • Automatic check for vulnerabilities in dependencies

9. Employee Security

  • Background checks for all employees with data access
  • Mandatory security awareness training
  • NDA for all employees and contractors
  • Quarterly review of access rights

Contact for Security & Compliance

For questions about security, compliance or to request a DPA:

Email: [email protected]

Security issues: [email protected]

Phone: +31 26 2340340

Last updated: 11 March 2026