> ## Documentation Index
> Fetch the complete documentation index at: https://docs.brighthive.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Security
> How Brighthive isolates your data, secures access, and protects your infrastructure at every layer.
## Overview
Security is foundational to Brighthive's architecture. Every customer gets dedicated, isolated AWS accounts — not shared tenancy. Your data never co-mingles with other customers, and every access path is authenticated, authorized, and auditable.
## Account Isolation
Brighthive uses AWS account boundaries as the primary isolation mechanism:
```mermaid theme={null}
graph TD
subgraph platform["Platform Account - Shared"]
API[GraphQL API]
Neo4j[Neo4j Metadata]
Cognito[Cognito Auth]
end
subgraph workspace["Workspace Account - Dedicated per Customer"]
Redshift[Redshift Serverless]
DBT[DBT Cloud]
end
subgraph org["Org Account - Dedicated per Organization"]
S3[S3 Data Lake]
Glue[Glue Catalog]
end
API --> Neo4j
API --> Cognito
Redshift -->|Cross-account IAM| S3
Redshift -->|Cross-account IAM| Glue
```
* **Organization accounts** are dedicated AWS accounts, each with their own VPC, S3 buckets, and Glue catalog. Your raw data lives here.
* **Workspace accounts** are dedicated AWS accounts, each with their own VPC and Redshift Serverless cluster. Your analytics run here.
* **Platform account** runs shared services (API, Neo4j, Cognito) that coordinate across customer accounts.
No customer data is stored in the shared platform account. Neo4j stores only metadata (schema, lineage, relationships) — never the actual data.
## Network Isolation
Every organization and workspace gets its own VPC with private subnets for data processing. No shared networking.
Data processing and storage run in private subnets. No public internet access to your data infrastructure.
Cross-account access uses VPC endpoints and IAM roles — not public internet or VPN tunnels.
Redshift Serverless runs across 3 availability zones for high availability within your dedicated VPC.
## Authentication & Authorization
### User Authentication
* **AWS Cognito** manages all user authentication with two separate pools: Platform (customer users) and Internal (admin).
* **JWT tokens** authenticate every API request. Tokens are validated by API Gateway custom authorizers before reaching any backend service.
* **Session management** ensures tokens expire and require re-authentication.
### Cross-Account Authorization
* **OrgDataCatalogRole** — An IAM role in each organization account that trusts the workspace's Redshift role. This is how Redshift queries organization data without sharing credentials.
* **No credentials are shared** — All cross-account access uses IAM role assumption (AWS STS), not stored passwords or API keys.
* **Workspace-scoped access** — The GraphQL API uses Neo4j metadata to route queries only to workspaces and organizations the user is authorized for.
## Data Isolation
| Layer | Isolation Mechanism |
| --------------- | ------------------------------------------------- |
| **AWS Account** | Dedicated accounts per organization and workspace |
| **Network** | Dedicated VPCs with private subnets |
| **Storage** | Dedicated S3 buckets per organization |
| **Warehouse** | Schema-per-organization in Redshift |
| **Metadata** | Neo4j access control lists |
| **Auth** | Cognito user pools with workspace membership |
## How Data Moves
Data flows through the platform via secure, authenticated paths:
### Ingestion (data in)
```
Your File → Org S3 (your AWS account) → Glue Crawler → Schema in Glue Catalog → Metadata synced to Neo4j
```
Your data lands in your dedicated S3 bucket in your own AWS account. It never leaves your account boundary during ingestion.
### Querying (data out)
```
User → Cognito Auth → GraphQL API → Neo4j (metadata lookup) → Redshift (your workspace) → Assumes OrgDataCatalogRole → Reads Org S3 via Spectrum
```
Redshift in your workspace assumes a cross-account IAM role to read data directly from the organization's S3. No data is copied — Spectrum reads in place.
### AI Agent Access
```
User → BrightAgent → Neo4j (discover data) → Redshift (query via workspace role) → Results
```
BrightAgent accesses data through the same authenticated paths as the webapp. Agents can only access data the user's workspace is authorized for.
## Secrets Management
* **AWS Secrets Manager** stores all credentials (database passwords, API keys, service tokens).
* **Snowflake JWT tokens** for Snowflake authentication — no stored passwords.
* **Environment variables** for non-sensitive configuration, managed per deployment environment.
* No secrets are stored in code, configuration files, or Neo4j.
## Deployment Security
* **Infrastructure as Code** — All infrastructure is managed via AWS CDK. No manual configuration or console changes.
* **CI/CD** — GitHub Actions and AWS CodeBuild for automated deployments with approval gates.
* **Three environments** — Dev, staging, and production with promotion workflows.
* **Primary region**: `us-east-1` with multi-AZ redundancy for critical services.
## Monitoring & Compliance
* **CloudWatch** — Logs and metrics for all Lambda functions and API performance.
* **Sentry** — Error tracking across platform services.
* **Neo4j audit logs** — All metadata access and modifications are logged.
* **Redshift query logs** — Full audit trail of every query executed against your warehouse.
For compliance certifications and detailed security documentation, visit our [Trust Center](https://trust.brighthive.io).