> ## Documentation Index > Fetch the complete documentation index at: https://docs.brightdata.com/llms.txt > Use this file to discover all available pages before exploring further. # Security & Compliance > Bright Data security and compliance: ISO 27001, SOC 2, regular penetration testing and encryption, covering MCP server, Browser API and all Bright Data APIs. All three ISO certifications are explicitly scoped to *"a public web data collection platform designed for high-scale collection, automation, and AI agent / RAG systems for web data access."* This directly covers use of Bright Data's MCP Server, Browser API, and all APIs in agentic workflows. ## Certifications at a Glance Information Security Management System (ISMS) **Valid until:** Aug 11, 2028 **No.** 1126059 - SII–QCD (ANAB Accredited) Cloud Security Controls **Valid until:** Jul 13, 2028 **No.** 1125290 - SII–QCD Protection of PII in Public Clouds **Valid until:** Jul 13, 2028 **No.** 1125291 - SII–QCD Available under NDA **Period:** Jun 1, 2024 – May 31, 2025 Audited by Deloitte Global Network Publicly downloadable **Period:** Jun 1, 2024 – May 31, 2025 Audited by Brightman Almagor Zohar & Co. Cloud Security Alliance Registry [View listing →](https://cloudsecurityalliance.org/star/registry/bright-data/) *** ## How independent audits work ### SOC 3 Report - Deloitte Conducted by **Brightman Almagor Zohar & Co., a firm in the Deloitte Global Network**, covering **June 1, 2024 – May 31, 2025**. The audit examined controls across four trust service criteria: Protection against unauthorized access to systems and data Uptime commitments and disaster recovery readiness Data classification, encryption, and access controls GDPR/CCPA compliance and PII handling procedures > *"In our opinion, management's assertion that the controls within the Service Organization's system were effective... to provide reasonable assurance that Bright Data's service commitments and system requirements were achieved based on the applicable trust services criteria is fairly stated, in all material respects."* > > * Brightman Almagor Zohar & Co. (Deloitte Global Network) Full SOC 3 report covering June 1, 2024 – May 31, 2025 *** ### Penetration Test - Skylight Cyber Security An independent penetration test and source code review was conducted by **Skylight Cyber Security Pty Ltd** (May–June 2025), covering the full Bright Data product surface. **Products tested:** | Product | Coverage | | ------------------------------------------------ | -------- | | Control Panel & Public APIs | Full | | Datacenter, Residential, Mobile, and ISP Proxies | Full | | SERP API and Web Unlocker API | Full | | Web Scraper IDE, Marketplace, and API | Full | | Web Archive API | Full | | Dataset Marketplace and Custom Dataset API | Full | **Three threat scenarios were in scope:** 1. Unauthenticated attacker attempting to compromise the entire platform 2. Malicious administrator attempting internal compromise 3. Unauthorized account access or proxy misuse **Result:** All Critical and High severity findings were remediated. Skylight re-tested to confirm the findings were addressed and the risk was mitigated. Attestation letter from Skylight Cyber Security Pty Ltd *** ## How data encryption works | Layer | Standard | | -------------------- | -------------------------------------------------- | | **Data in transit** | TLS 1.3 (minimum TLS 1.2) with modern cipher suite | | **Data at rest** | AES-256 or better across all infrastructure | | **Credentials** | Hashed and salted using a modern hash function | | **Database backups** | Encrypted; daily full backups, monthly snapshots | | **Backup storage** | AWS Backup; snapshots distributed across locations | *** ## Infrastructure & Availability Amazon Web Services (AWS), multi-Availability Zone deployment DR site on AWS EU; annual large-scale DR drills; RCA for all high-severity incidents Full database backup every 5 minutes; daily AWS snapshots; critical backups on Microsoft Azure Active DDoS mitigation and rate limiting; continuous firewall monitoring by dedicated InfoSec team *** ## Access Control & Identity | Control | Implementation | | --------------------------- | ---------------------------------------------------------------- | | **Least privilege** | All IAM roles scoped to minimum required permissions | | **MFA** | Required for all AWS platform access by employees | | **Customer authentication** | Strong password (min. 8 chars) + email verification | | **RBAC** | Role-Based Access Control with regular user access reviews | | **Third-party access** | Re-authorized annually; requires signed NDA and InfoSec approval | | **Remote access** | VPN with encryption required; host-check enforced | *** ## Application & Development Security * **CI/CD pipeline** - Controlled pipeline with end-to-end and unit testing, including authorization testing * **Secure SDLC** - Based on the OWASP Top 10 framework; security requirements defined before development begins; annual developer security training * **Change management** - Formal review and approval process for all infrastructure and application changes, including security risk evaluation at R\&D review stage * **Third-party risk (TPRM)** - All vendors mapped and classified by risk tier; high-risk suppliers require security questionnaire and InfoSec sign-off before contract * **Bug bounty** - Managed private program for responsible disclosure by independent security researchers *** ## Privacy & Regulatory Compliance | Regulation / Standard | Status | | ------------------------------------- | ------------------------------------------------------ | | GDPR (EU) | ✅ Compliant - DPIAs conducted as part of product flows | | CCPA (California) | ✅ Compliant | | UK Data Protection Act | ✅ Compliant | | Virginia Privacy Law | ✅ Compliant | | Israeli Privacy Protection Law (1981) | ✅ Compliant | | ISO 27001:2022 | ✅ Certified | | CSA STAR | ✅ Listed | | PCI DSS | ✅ Working compliance | * **Privacy policy** reviewed and updated annually - [brightdata.com/privacy](https://brightdata.com/privacy) * **Customer data deletion** available at any time upon request * **Data selling** - Bright Data does not sell or license customer data to any third party *** ## Information Security Policy Bright Data maintains a formal, board-approved Information Security Policy aligned with **NIST, ISO 27001:2022, ISO 27017, and ISO 27018**. IAM policies enforcing least-privilege access across all systems, with regular audits and annual reviews. Network segmentation, TLS 1.3 in transit, AES-256 at rest, and modern cipher suites throughout. CIS Benchmarks applied to all endpoints and servers. Security requirements defined before development begins; OWASP Top 10 framework; annual developer training. All vendors classified by risk tier; high-risk suppliers require security questionnaire and InfoSec sign-off. Three-tier classification: Sensitive, PII, and Public - with controls applied per tier. Incident reporting, RCA for high-severity events, annual DR drills, and a formal BCP. *** ## Security for AI Agents & MCP Users Bright Data's MCP Server and Browser API operate under the same certified security infrastructure described on this page. Always treat scraped web content as **untrusted input**. Validate and filter data before passing it to an LLM prompt to mitigate prompt injection risks. **Recommended practices when using Bright Data in agentic workflows:** Validate and filter web data before passing it to an LLM prompt - this mitigates prompt injection attacks. Prefer `web_data_*` tools where available - they return pre-validated, schema-consistent data. Store API keys as environment variables. Never hardcode credentials in agent code or prompts. Use API key permission scoping (five levels available) to enforce least-privilege access from your agent. *** ## Certifications & Reports All three ISO certificates in a single PDF Public SOC 3 - Jun 1, 2024 – May 31, 2025 Available under NDA upon request Penetration test attestation and live trust documentation Updated annually; GDPR & CCPA aligned Responsible disclosure program for security researchers *** ## Frequently Asked Questions Yes. Bright Data holds **ISO/IEC 27001:2022, ISO 27017, and ISO 27018** certifications, valid until August 11–13, 2028, issued by SII–QCD (ANAB Accredited, IAF & IQNET member). Yes. Bright Data has a **SOC 2 Type II** report available under NDA, and a publicly downloadable **SOC 3** report audited by the Deloitte firm (Brightman Almagor Zohar & Co.). Yes. Bright Data has undergone a comprehensive GDPR and CCPA compliance program, conducts Data Privacy Impact Assessments (DPIAs) as part of all product flows, and maintains a publicly available privacy policy updated annually. Yes. Annual penetration tests and source code reviews are performed by independent third-party security firms. The most recent test (Skylight Cyber Security, May–June 2025) left no Critical or High severity findings unresolved. Yes. All data is encrypted in transit (**TLS 1.3**) and at rest (**AES-256**). Database backups are encrypted and distributed across multiple cloud locations. Yes. Bright Data is trusted by Fortune 500 companies, academic institutions, and 15,000+ organizations worldwide. Its security posture is independently validated through ISO 27001/27017/27018 certification and an annual Deloitte SOC 2 Type II audit. Yes. All ISO certifications are explicitly scoped to include AI agent and RAG system use cases for web data access, which covers the MCP Server, Browser API, and related products. *** *For security inquiries: [security@brightdata.com](mailto:security@brightdata.com)* *For enterprise compliance reviews: [Contact sales](https://brightdata.com/contact)*