Our infrastructure includes a secure system architecture, hosting data centers, the latest versions of security patches, penetration and vulnerability scans, redundant services with failover capabilities, and firewalls for added protection.

Your data

  • Data storages

  • Compliance with GDPR in EU region

  • Privacy policy

  • Data segregation and data access

  • Backups & disaster recovery

  • Logs - authentication & login

  • Passwords & sessions

  • Federated Services & Single Sign On (SSO)

  • Multi-factor authentication

  • Monitoring

  • Permissions and roles


  • Secure transport via HTTPS

  • Encryption in transfer & at rest

Security in Software Development

  • Code Reviewing

Additional Security Measures

  • Policies

  • Business Continuity Plan

  • Corporate Security Policies

  • Office Security

  • Incident response

  • Security training

  • Background checks

  • Confidentiality

  • Payment processing & PCI compliance


Our secure system architecture

We are using a multi-tier infrastructure with security gateways protected by firewalls. Services, like data storage and more, can only be accessed by an application that requires access specifically for that service and only by personnel with certain authorization levels. Access information is securely stored outside our codebase and our data.

Our hosting data centers

The Brainfish software and all its services are hosted and managed within the AWS’ (Amazon Web Services) secure data centers. These centers all come with certain certifications:

  • SOC 1/ISAE 3402, SOC 2, SOC 3


  • PCI DSS Level 1

  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

We use Amazon's hosting locations US East (Ohio) and EU-Central (Frankfurt)

All services are only accessible from our Virtual Private Cloud (AWS VPC). We are using the available AWS services to protect data privacy and control access to our entire network. If you are interested in more specific details about these certifications, please have a look at the AWS compliance center.

Latest versions and security patches ‍We are working continuously to have the latest version of software and security patches installed.

Penetration and vulnerability scans

Our system is regularly (at least annually) audited and tested via penetration tests to identify any vulnerabilities. We are also using security tools to check for vulnerabilities of our code and watch-guard for potential risks. Each upcoming risk is reported, classified, and promptly fixed and patched.

We are working hard to prevent SQL injections, XSS vulnerabilities, and other common issues.

Redundant services and failover

Our services are built for failover. In case a service fails there are always redundant services to take over the job. This allows us to provide a consistent and reliable service to our customers. Our services are distributed throughout AWS availability zones.

All databases are replicated synchronously to quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center. Then we are able to restore them elsewhere as needed, even in the event of a regional data center failure.


‍Our system, servers, and networks are secured by various firewalls which are regularly checked and updated. We only provide one access path with open ports 80 and 443 for HTTP(S) traffic. All other systems, servers, and networks are protected and limited to our internal network. Only authorised personnel with a profound background check have access to our server infrastructure. The access to our data centers is secured through VPN and 2-factor authentication.

Your Data

Data storages

All data storages are not accessible to the outside/internet and are protected within our Virtual Private Network. Access to data stores with customer data is limited to systems that require this access. All data is encrypted while in transport by using enhanced encryption mechanisms like SSL etc.

All our connections are encrypted via Transport Layer Security (TLS) with version v1.2. We have implemented encryption of all data in rest.

All production environments are separated from testing environments.

Compliant with General Data Protection Regulation (GDPR) for EU region customers
We are compliant with the EU General Data Protection Regulation (GDPR) which should help to protect personal data and give individual users more rights and control of their personal data. We are a processor in terms of GDPR. We are storing some personal data (Personally Identifiable Information (PII)) in the form of name and email of users, browser information, operating system, screen sizes, URL, location / IP address (only in specific cases) and screenshots of browser content.

We are storing all data in the European Union (EU). If we have a sub-processor that is not processing in the EU, we ensure through an EU-SCC and a DPA that the sub-processor has an adequate security standard.

For more information and our Data Privacy Agreement, please read our GDPR page.


You can protect sensitive data in all subscription plans by using our PII-protection feature to black-out confidential information from your website or web application before a screenshot is taken.

Privacy policy

We demonstrate our company’s commitment to privacy. Please read our privacy statement.

Data segregation and data access

All accounts and data of each customer are separated by unique IDs. These can only be accessed by the customers’ team members. Our customer success team will only access a customer's account after a clear request by the customer.

Backups & disaster recovery

All data is backed up daily, secured by encryption, and stored for 30 days.

Deleted data is not removed from backups to allow for the possibility to recover in case of deletion. All previous backup data is removed after 90 days. We are reviewing our backups at least annually and simulate a full backup recovery.

Security Logs

Our system is storing logs to reproduce any faults or track security breaches. No personal data is stored within our logs. Activity logs are kept for 90 days.

Authentication & Login

We do not save passwords on our system. Instead, users log in with a one-time code. To secure access to our application, we use sessions that expire after a specific time of inactivity or unauthorized access.

Login and Google oAuth
Besides the standardised email and password access to our system, Brainfish offers our customers and users the possibility to access our system via Google oAuth.

Permissions and roles
Brainfish offers different roles with different permissions within our system. Team owners have all access and managing permissions, while team members can manage all items within a project. Users are allowed to submit feedback and send in messages.


Secure transport via HTTPS

Our system enforces traffic via HTTPS (port 443). Requests to web resources and access to our REST API can only be obtained via SSL.

Encryption at transport and at rest.

Our platform uses industry-standard encryption algorithms for encrypting your data in transport, as well as at rest.

Security in Software Development

Code Reviewing ‍

The Brainfish development team uses a modern software development approach to ensure the development of secure, reliable, fast and flexible software.

We are using a revision control system (git). Any changes to our source code base go through a suite of automated tests and are reviewed & approved by authorised persons in a code review. When code changes pass the automated testing system and manual reviews, the changes are deployed to a staging server. In this staging server, Brainfish employees are able to test changes before an eventual push to production servers and our customer base.

We also add a specific security review for particularly sensitive changes and features. Brainfish engineers can pick critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that checks whether access control rules are written correctly and enforced as expected. We also work with third-party security professionals to protect your data.

Additional Security Measures

Incident response

In case of a security or performance incident, our team will notify customers of the impact through email. The resolution details with detail report will be shared to impacted customers.

Security training

Security is only effective if it is practiced regularly. That’s why our team and employees have to conduct security training outlined in our policies regularly after joining.

Payment processing & PCI compliance

All credit card payments paid to Brainfish are processed by our payment partner Stripe. Find more information about their security protection and PCI certification on their Security page. We have no access to your credit card information.

Further Information

Requests regarding security

If you have questions regarding the security of Brainfish, please contact our security team via

Terms of service

Please, be aware that our terms of service apply for all your subscriptions.