Brushfire Data Security & Privacy

At Brushfire, data security and privacy are our top priorities. Brushfire powers thousands of events with millions of transactions each year. We understand the importance of our security measures and practices to you. While we can't divulge extensive details about these practices, we can share general information to assure you of our commitment to securing your data.

Data Center Security

  • Brushfire hosts components of our platform with Microsoft Azure, Google Cloud Platform, Amazon Web Services, and Mongo Cloud
  • Each of these providers has rigorous physical security controls to prevent unauthorized access to the data centers as well as redundancy measures in place
  • Brushfire has business continuity plans in place should any of the data centers or sub-processing platforms become unavailable
  • Brushfire routinely performs penetration testing to ensure that current security measures are effective

Protection from Data Loss

  • Brushfire accounts are segmented with controls in place to prevent data corruption and loss, ensuring that each account only has access to its own data
  • Brushfire employs modern technological defenses, such as advanced encryption protocols and real-time monitoring systems, to prevent data loss and ensure the integrity of your information
  • All data is replicated in multiple geographic locations and regularly backed up

Application Level Security

  • Brushfire account passwords are securely hashed, ensuring even our staff cannot view them. If you lose your password, it cannot be retrieved and must be reset.
  • All login pages on our website and mobile site transmit data using TLS 1.2 or higher.
  • The Brushfire application is fully encrypted using TLS 1.2 or higher.
  • Login pages and logins via the Brushfire API have brute force protection.

Employee Security & Safeguards

  • We consistently train our employees on optimal security practices, including the identification of social engineering tactics, phishing scams, and hacker threats.
  • Employees on teams with access to customer data (such as tech support and engineers) undergo criminal background checks before employment.
  • All new hires must sign Non-Disclosure and Confidentiality Agreements.
  • All employees and contractors are required to complete Data Privacy Agreements and undergo Data Privacy training
  • To safeguard our company from various potential losses, Brushfire has implemented a robust insurance program. This comprehensive coverage encompasses cyber incidents, data privacy breaches (including regulatory costs), general errors and omissions liability, excess cyber liability, and protection against property damage and business interruptions.

PCI DSS Compliance

  • Square and Stripe offer protected and secure payment integrations with Brushfire.
  • Cardholder payment account information is not processed through Brushfire servers. All payment account information is handled directly by Square and Stripe.
  • Brushfire receives minimal identifying information about payments from Square and Stripe.
  • Compliance reports for PCI DSS standards are available upon request.

Privacy First Mindset

  • Our product team collaborates with various departments across the organization to ensure our products and features adhere to relevant data protection and anti-spam regulations.
  • We are dedicated to adhering to relevant data protection laws and equipping our customers with the necessary tools to meet their own compliance needs.
  • Brushfire subscribes to the Principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). This framework guides our responsibilities for importing and processing data from individuals in the EU, UK, and Switzerland.
  • Individuals may request a copy of their personal data or that their personal data be removed from Brushfire following the instructions in our Privacy Policy
  • In compliance with the EU-US Data Privacy Framework Principles, Brushfire commits to resolve complaints about privacy and our collection or use of personal information transferred to the United States pursuant to the DPF Principles