Skip to content

Compliance

Brightstead supports public benefit programs and the people who run them. That means handling data with care, protecting client privacy, and building systems that withstand oversight and scrutiny. This page outlines how we approach compliance, privacy, and risk.

Data Protection & Privacy

We follow a privacy-by-design approach. We collect only the data we need to power key workflows and retain it only as long as necessary. Personal data is never sold or shared for advertising.

  • End-to-end encryption in transit and at rest
  • Access controls and detailed audit logging
  • Role-based permissions with least-privilege defaults
  • Support for client data access, correction, and deletion

Security Practices

We adhere to industry-standard security principles to protect sensitive data. Our systems are deployed in secure cloud environments, with automated patching, network isolation, and continuous monitoring in place.

  • Hosted on infrastructure with SOC 2 Type II certification
  • Environment-level separation for production and testing
  • Vulnerability scans and penetration testing conducted regularly
  • All staff undergo security and privacy training

HIPAA Alignment

While Brightstead is not a covered entity, we are designed to support teams that handle health-adjacent data. We implement administrative, physical, and technical safeguards that align with the HIPAA Privacy and Security Rules.

  • Encryption (TLS 1.2+, AES-256) for all data in transit and at rest
  • Automatic audit logs and access tracking for sensitive records
  • Available Business Associate Agreements (BAAs) for eligible partners
  • Ongoing internal assessments of HIPAA-related controls

CPRA & Consumer Privacy Rights

Brightstead aligns with the California Privacy Rights Act (CPRA) to ensure transparency and control for individuals whose data may be processed by our platform. We honor the core principles of CPRA across our product and internal practices.

  • Right to Know: Individuals can request a summary of data collected and its use.
  • Right to Delete: Users may request erasure of personal information when permissible.
  • Right to Correct: Inaccurate records can be updated upon request.
  • No Sale or Sharing: Brightstead does not sell or share personal data for cross-context advertising.

To request access, deletion, or correction of your data, email us at privacy@brightstead.care.

Risk Management

Compliance is part of a broader risk posture. We take a proactive, practical approach to identifying and mitigating risk across technical, operational, and legal domains.

  • Routine risk reviews across systems, vendors, and workflows
  • Automated monitoring for anomalous activity and access
  • Incident response plans and regular backup testing
  • Support for program-level audit preparation and reporting

Our Commitment

We build Brightstead to serve real people doing real work — and that includes helping providers meet regulatory, contractual, and ethical obligations. If you have questions about our compliance posture or data protections, we’re here to talk.

Contact Our Compliance Team