Security at DevBrid

Client data is logically segregated across all multi-tenant systems. We implement strict data access controls using the principle of least privilege — employees only access data required for their specific role.

All production databases are encrypted at rest using AES-256 encryption. Database credentials are managed through a secrets management system and rotated regularly.

We maintain comprehensive audit logs of all data access events, which are retained for a minimum of 12 months and monitored for anomalous behaviour using real-time SIEM tooling.

Security is embedded throughout our software development lifecycle (SDLC). Every code change is reviewed by a peer engineer and passes automated SAST scanning before merging.

We conduct annual manual penetration testing by certified third-party security firms (OSCP/CREST certified). Findings are triaged and remediated according to our SLA: Critical within 24 hours, High within 7 days.

Our web applications are protected by a Web Application Firewall (WAF), rate limiting, CSRF protection, strict Content Security Policies (CSP), and OWASP Top 10 mitigations as standard.

All DevBrid infrastructure is deployed on enterprise cloud providers (AWS, GCP, Azure) with multi-region availability and automated failover. We enforce VPC-level network segmentation with no direct public internet exposure for backend services.

Multi-factor authentication (MFA) is mandatory for all employees accessing internal systems. Privileged access is managed via a Privileged Access Management (PAM) solution with session recording.

We conduct regular Disaster Recovery (DR) and Business Continuity Plan (BCP) drills to ensure recovery time objectives (RTO) and recovery point objectives (RPO) are met.

All DevBrid employees complete a mandatory security awareness training programme upon joining and annually thereafter. Training covers phishing recognition, secure coding practices, data handling, and incident response.

Our security team conducts regular simulated phishing exercises to assess and improve employee awareness. Results are used to target additional training where needed.

Employees undergo background verification checks before joining, and all personnel with access to client data sign confidentiality and non-disclosure agreements.

We maintain a comprehensive Incident Response Plan (IRP) that is reviewed and tested semi-annually. Our Security Operations Centre (SOC) monitors for threats 24/7.

In the event of a security incident impacting client data, we will notify affected clients within 72 hours of discovery, consistent with GDPR and applicable data breach notification requirements.

Post-incident reviews (PIRs) are conducted for all significant security events to identify root causes, lessons learned, and preventative measures.

DevBrid maintains compliance with GDPR (EU General Data Protection Regulation), UK GDPR, and other applicable regional data protection regulations.

Our processes are aligned with internationally recognized frameworks including ISO 27001, NIST Cybersecurity Framework, CIS Controls, and OWASP.

We are happy to provide security questionnaires, penetration test executive summaries, and complete due diligence packs to enterprise clients upon execution of an NDA.

We encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability in any DevBrid system, please report it to security@devbrid.com.

We commit to acknowledging your report within 48 hours, investigating all credible reports, and working to remediate validated vulnerabilities in accordance with our SLAs.

We ask that you do not publicly disclose the vulnerability until we have had an opportunity to investigate and remediate it. We do not pursue legal action against researchers who follow responsible disclosure practices.