Skip to main content

Overview

Security is foundational to BrightHive’s architecture. Every customer gets dedicated, isolated AWS accounts — not shared tenancy. Your data never co-mingles with other customers, and every access path is authenticated, authorized, and auditable.

Account Isolation

BrightHive uses AWS account boundaries as the primary isolation mechanism:
  • Organization accounts are dedicated AWS accounts, each with their own VPC, S3 buckets, and Glue catalog. Your raw data lives here.
  • Workspace accounts are dedicated AWS accounts, each with their own VPC and Redshift Serverless cluster. Your analytics run here.
  • Platform account runs shared services (API, Neo4j, Cognito) that coordinate across customer accounts.
No customer data is stored in the shared platform account. Neo4j stores only metadata (schema, lineage, relationships) — never the actual data.

Network Isolation

Dedicated VPCs

Every organization and workspace gets its own VPC with private subnets for data processing. No shared networking.

Private Subnets

Data processing and storage run in private subnets. No public internet access to your data infrastructure.

VPC Endpoints

Cross-account access uses VPC endpoints and IAM roles — not public internet or VPN tunnels.

Multi-AZ

Redshift Serverless runs across 3 availability zones for high availability within your dedicated VPC.

Authentication & Authorization

User Authentication

  • AWS Cognito manages all user authentication with two separate pools: Platform (customer users) and Internal (admin).
  • JWT tokens authenticate every API request. Tokens are validated by API Gateway custom authorizers before reaching any backend service.
  • Session management ensures tokens expire and require re-authentication.

Cross-Account Authorization

  • OrgDataCatalogRole — An IAM role in each organization account that trusts the workspace’s Redshift role. This is how Redshift queries organization data without sharing credentials.
  • No credentials are shared — All cross-account access uses IAM role assumption (AWS STS), not stored passwords or API keys.
  • Workspace-scoped access — The GraphQL API uses Neo4j metadata to route queries only to workspaces and organizations the user is authorized for.

Data Isolation

LayerIsolation Mechanism
AWS AccountDedicated accounts per organization and workspace
NetworkDedicated VPCs with private subnets
StorageDedicated S3 buckets per organization
WarehouseSchema-per-organization in Redshift
MetadataNeo4j access control lists
AuthCognito user pools with workspace membership

How Data Moves

Data flows through the platform via secure, authenticated paths:

Ingestion (data in)

Your File → Org S3 (your AWS account) → Glue Crawler → Schema in Glue Catalog → Metadata synced to Neo4j
Your data lands in your dedicated S3 bucket in your own AWS account. It never leaves your account boundary during ingestion.

Querying (data out)

User → Cognito Auth → GraphQL API → Neo4j (metadata lookup) → Redshift (your workspace) → Assumes OrgDataCatalogRole → Reads Org S3 via Spectrum
Redshift in your workspace assumes a cross-account IAM role to read data directly from the organization’s S3. No data is copied — Spectrum reads in place.

AI Agent Access

User → BrightAgent → Neo4j (discover data) → Redshift (query via workspace role) → Results
BrightAgent accesses data through the same authenticated paths as the webapp. Agents can only access data the user’s workspace is authorized for.

Secrets Management

  • AWS Secrets Manager stores all credentials (database passwords, API keys, service tokens).
  • Snowflake JWT tokens for Snowflake authentication — no stored passwords.
  • Environment variables for non-sensitive configuration, managed per deployment environment.
  • No secrets are stored in code, configuration files, or Neo4j.

Deployment Security

  • Infrastructure as Code — All infrastructure is managed via AWS CDK. No manual configuration or console changes.
  • CI/CD — GitHub Actions and AWS CodeBuild for automated deployments with approval gates.
  • Three environments — Dev, staging, and production with promotion workflows.
  • Primary region: us-east-1 with multi-AZ redundancy for critical services.

Monitoring & Compliance

  • CloudWatch — Logs and metrics for all Lambda functions and API performance.
  • Sentry — Error tracking across platform services.
  • Neo4j audit logs — All metadata access and modifications are logged.
  • Redshift query logs — Full audit trail of every query executed against your warehouse.
For compliance certifications and detailed security documentation, visit our Trust Center.