Privacy, Security & Compliance

For: BROSH's platform apps


Information Security

At BROSH, we take security seriously! We map our security program to industry standards such as ISO 27001 and the CIS Critical Security Controls. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis. 

Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing BROSH. We also use tools to help us enforce compliance with our internal security policies. 


BROSH's is compliant with the international ISO 27001 standard and with the SOC 2 standard as defined by the AICPA.

Our online payment processors, Google and PayPal are both certified as Level 1 Service Provider (PCI DSS). BROSH never has access to sensitive payment details. 

BROSH complies with CCPA and GDPR regulations.


Terms of Service

Data Protection Attachment

Cookie Policy


CCPA Notice


Internal Security Measures

Personnel Security

All employees complete background checks and are required to acknowledge the security policy and sign a confidentiality agreement.

Identity and Access Management

Employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible. We conduct regular access audits and operate on the principle of least privilege.

Hardware Security

All employee laptops are managed, have encrypted hard drives and are monitored with antivirus software.

Physical Security

BROSH’s office is secured by key fob access doors. Entrances and exits are observed and captured on a closed-circuit (CCTV) camera. The office is monitored and protected by an alarm system.

Network Security

The internal network is restricted, segmented and password protected.

Security Education

As part of our commitment to ensure that every member of our team understands the role they play when it comes to security, we provide ongoing security training throughout the year, including periodic phishing tests. Each new employee attends a Security training session within the first two weeks of hire to help them learn to identify threats such as social engineering and phishing.

In addition, employees and contractors with coding responsibilities are required to complete secure code training courses.


BROSH's Application Security

BROSH is hosted in public cloud such as  AWS and GOOGLE cloud, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management.

In addition to the benefits provided by the public cloud, our application has additional built in security features:

  • Role based permissions
  • Automation
  • Backups and versioning
  • Two-factor authentication *
  • SSO capabilities with G Suite *
  • Single Sign-On *
* capabilities vary based on subscription tier

Customer Data and Privacy

BROSH stores the following customer data in its cloud:

  • Names
  • Usernames and email addresses
  • Billing Email Address
  • Payment history and invoices
  • Phone Number (optional)
  • Billing address
  • Company (optional)
  • Location (city, country) 
  • Job Title (optional)
  • Personal Website (optional)
  • Referred By (optional person who referred user to use BROSH)

BROSH uses a range of third-party service providers to assist with its data processing, customer engagement, and analytic activities. The type of data that the Subprocessor has access to is limited to only what is reasonably necessary to perform the service provided. Please refer to our Subprocessor page for more information on the list.

We recommend customers who need to comply with HIPAA integrate a 3rd party form provider rather than using a BROSH form.


Encryption is used throughout BROSH to protect PII and non-public data from unauthorized access. 

All communication between BROSH users and the BROSH-provided web application is encrypted-in-transit using TLS while using the application.

All databases and database backups are encrypted at rest.

Data Retention

Customers can request all of their data, or have it deleted by sending an email to: as long as it is not subject to a legal hold or investigation. 

Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system. This action is irreversible.

Access to Data

Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team.

3rd Party Sub-processors

At BROSH, we use 3rd party service providers to help with analytics, payments and for hosting our service.

All 3rd party services undergo a due diligence check to ensure your data stays secure. The data provided to these services is limited to the minimum required to perform their processing duties.

Infrastructure Availability

Our backend infrastructure is hosted in a public cloud AWS/GOOGLE CLOUD/etc and is fully monitored to detect any downtime. 

SLAs for BROSH Hosting and BROSH Application are available through the BROSH Master Service Agreement for Enterprise Plan.

Pen-testing and Security Scans

BROSH conducts 3rd party pen-tests at least annually. In addition to regular pen-testing, we also use scanning tools to monitor and detect vulnerabilities. It is against BROSH’s Terms of Service to probe, scan, or test the vulnerability of the Service or any Content, or any system or network connected to the Service.

Responsible Disclosure

If you believe you have discovered a vulnerability within BROSH's application, please submit a report to us by emailing

BROSH does not participate in a public bug bounty program at this time, nor do we provide monetary rewards for publicly reported findings.

If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to:


Best practices

  • Never, under any circumstances give another person credentials for your account.
  • Create a long and strong password (recommended 12 + characters including Upper and Lower case letter, numbers and special characters).
  • Ensure that you are utilizing Multi-Factor Authentication or Single Sign on (if possible)
  • Never share sensitive account details such as payment or username information with third parties


If you have any additional questions regarding security please send us an email to For Enterprise customers, please reach out to your Account Executive to get more information about our Security Program.

Skip to content
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. For more information, please read Our Cookie Policy