We sat down with Julien Champseix and Arthur Poirier at Brevo to discuss all things data security — from following regulations to preventing cyberattacks, and sharing our own approach to data privacy. In the last of our three-part Conversations with the Experts, we take a closer look at Brevo’s global data security framework.
Meet our data security experts
Julien is Chief Information Security Officer at Brevo. Since starting his position one year ago, Julien has overseen Brevo’s ISO 27001:2013 certification and continues to reinforce the company’s data security framework.
Arthur is Brevo’s Legal Manager and Data Protection Officer, ensuring GDPR compliance at Brevo as well as supporting clients’ conformity.
Defining Brevo’s approach
What is Brevo’s overall approach to cybersecurity?
Julien: Our cybersecurity framework operates across a few different axes since our platform and applications can be accessed manually via login credentials and programmatically via API keys.
We run various penetration tests to be able to detect weak points before they’re compromised. We work with ethical hackers to run bug bounties, which is basically when those hackers try to penetrate and crash our platform and all the applications running alongside it.
This type of proactive security is super valuable, because it gives us a ton of information about the fault itself but also what actions an external actor would need to take in order to access the fault. These details are first verified by our security teams at Brevo and then passed on to our engineers, who correct and document the fault to avoid reproducing it.
With my team, we run regular checks on code quality and security within our applications. So before we even release an application, we can see if anything’s not up to our standards or if it’s not compliant with regulation, namely OWASP.
Finally, we make an effort to offer clients the option to further protect themselves with things like multi-factor authentication and IP address whitelisting. When a client does both of these, hackers don’t really stand much of a chance.
Many recent high-profile data breaches have been traced back to compromised employee accounts and devices. What does Brevo do to prevent this sort of incident?
Julien: This is absolutely the case — we’re seeing more and more that the majority of security breaches come from employees, be it by sharing passwords with a coworker or falling victim to a phishing email.
At Brevo, every device we issue to employees is protected with encryption and anti-malware software. Employees also go through cybersecurity training and are required to regularly change their passwords. That acts as a first line of defense.
Next, our mobile device management (MDM) software allows us to monitor our entire fleet of devices. That way, we’re able to ensure our employees are using the latest and most secure versions of any software or application. The MDM also allows us to keep a close eye on what sort of information our employees have access to.
Finally, I send out regular communications to employees to alert them of data breaches in our industry and update them on new best practices. This helps keep everyone thinking about data security and makes sure we’re all on our toes and able to spot phishing attempts, social engineering efforts, and other malicious content.
Could you give an example of threats that Brevo’s data security framework is designed to defend against?
Julien: To give a concrete example, we have clients creating API keys to run automations between their site, their online store, and Brevo. They sometimes store their API keys on repositories like GitHub.
In doing so, clients’ API keys are made publicly accessible, meaning their accounts and data could be potentially compromised. So what we’ve done is set up detection mechanisms to identify our clients’ leaked API keys, immediately deactivate those keys, and then inform our client.
We take clients’ data extremely seriously because without measures like this, a leak could have detrimental consequences on their businesses. So that’s why we’ve set up backstops like this one.
What role does Brevo play in protecting individuals’ personal data within the context of GDPR?
Arthur: The GDPR defines two main roles that are relevant to Brevo and our users: controller and processor. A controller is directly responsible for initiating and organizing the processing of personal data. And a processor is a contractor that handles that personal data on the controller’s behalf.
For Brevo, the data controller is our client, which makes us the processors because everything we handle in terms of personal data is on behalf of that client, who gives us ‘instructions’ from their account. Brevo would never upload personal data, send a campaign, an email, or contact someone from a client’s account without being told to do so. So that’s why we’re not considered controllers, but processors.
What do we do to help our clients stay GDPR-compliant?
Arthur: First, the GDPR says you always need a contract between the controller and the processor, so that’s become part of the standard documentation we offer clients and is included as an annex in our terms and conditions.
Next, we perform audits on our own processors to have as much information as possible about their data handling. That way, we can respond to clients with evidence backing our GDPR compliance and full transparency about where the data is going.
In terms of persons responsible, there are two Data Protection Officers at Brevo: myself and Betina Russell, who focuses on the DACH region. Between the two of us, we handle major concerns and questions from clients. We also train our customer experience agents on privacy-related matters and make sure we keep them up to date on topical GDPR issues.
Above all, we’ve designed a product to meet the challenges of compliance with the GDPR, taking into account the constraints and requirements of such a regulation.
Finally, we’ve set up an efficient process for responding to data subject requests.
What is the impact of Brevo’s recent ISO certification?
Julien: With Brevo’s certification, our users can rest assured knowing their data is managed and protected using state-of-the-art security practices. It also demonstrates Brevo’s long-term commitment to cybersecurity by requiring us to have a dedicated department working to continuously improve our product security.
Beyond that, being ISO-certified is becoming standard practice. It’s helpful for consumers to be able to see what companies do in terms of cybersecurity along standardized criteria. We have the same monitors and audits, and can easily communicate that with users via the public certification.
In this way, the certification is much more than one single moment — it means a company is continuously working to maintain and improve its data security and management. It has specifically dedicated physical resources, human resources, and a budget to continue to improve its security.
Leading the way in cybersecurity
Because of the sheer amount of personal data that large organizations typically handle, they shoulder most of the risk of breaches and leaks. At the same time, they have the most resources to effectively thwart cybersecurity incidents.
Consumers are becoming increasingly concerned about how their personal data is handled. Now’s the time for large organizations to respond to this concern by assessing, challenging, and bolstering their data protection frameworks.
To learn more about data security at Brevo, take a look at our global approach to protecting your data