How Braze is Built to Support Data Privacy and Security at Scale

It’s no secret—modern customer engagement is built on a foundation of data. As information has become more accessible, it’s become possible for marketers to responsively target messages based on user behavior in real time and automatically adjust each individual’s customer journey as they engage. But with these impactful new capabilities come big new responsibilities: Brands that leverage user data to power their customer engagement programs also need to ensure that the data they hold is kept safe and secure and complies with relevant privacy laws and guidelines.

As brands face increasingly sophisticated cyber threats and work to navigate stringent data protection laws like the GDPR and CCPA, it’s crucial for marketers to understand not just the ins-and-outs of how to safeguard data and keep it private, but how to do it in ways that don’t limit their ability to take advantage of that data to support the kinds of responsive, impactful experiences that today’s consumers expect.

At Braze, we’ve prioritized that balance between effectiveness and data privacy/security from the very beginning. In this piece, we’ll take a look at why privacy and security are so important to customer engagement and explore how Braze has leveraged data privacy and security by design to safeguard information without compromising exceptional marketing.

Why customer data security and privacy matter for customer engagement

Data privacy and security are often spoken of in the same breath, yet they have distinct meanings and require different mindsets and approaches. In the marketing space, data privacy is fundamentally about consumers having the right to understand, control, and manage how much (and what) information brands have about them as individuals and how it is used, while data security is about ensuring that all the information your company possesses (e.g. user information, business information, other confidential information) is protected from leaks, outside actors, and other risks. One cannot promise true privacy without robust security measures in place—it's akin to building a vault with no door.

Failing to respect data privacy or safeguard data security can seriously damage your customer engagement efforts. When brands signal that data privacy isn’t important to them (by gathering and acting on information that doesn’t support a better customer experience), users tend to react negatively, feeling that their trust has been broken or that the messages they are receiving are invasive or “creepy.” Even worse, data privacy and security failures can result in civil and even criminal penalties, depending on the severity of the issue, potentially putting the future of your company at risk.

But while relevant legislation, rules, and best practices do put guardrails on how data can be collected, processed, and used, respecting data privacy and security doesn’t require marketers to forgo the use of data in their campaigns, or undermine their ability to target, segment, personalize, or optimize the experiences that their serving up to their customers. What it does instead is require them to be mindful about how they’re using data, and the tools that they’re leveraging that touch the customer experience.

In general, consumers are more open to sharing the kinds of data that marketers care about if they know how it will be used. By being transparent with your customers and only using the data they hand over in responsible ways, you’re showing that you care about their privacy and keeping the door open for them to share information that can be used to deepen your understanding of their preferences and serve up the kinds of experiences that support long-term loyalty and stronger engagement. On the security front, no user wants to find out that private or personal information has been accessed improperly or leaked online, and ensuring that the systems you use meet generally established guidelines for data security is an essential part of maintaining customer trust.

Privacy and security by design: How Braze safeguards data

Data privacy and security have been a key focus for Braze since our founding. In 2011, when we were building the very first version of our iOS SDK, Braze chose not to collect the unique universal identifier (UUID) associated with each iOS device because we believed that the use of this information to track users across devices for advertising purposes would become untenable once there was more scrutiny of mobile user data. That proved to be true—in iOS 5, Apple deprecated the UUID, creating challenges for companies that hadn’t taken user privacy seriously, but validating our approach.

At Braze, our foundational commitment to privacy and security is not just about safeguarding data—it's about empowering our customers to leverage that data responsibly. By building privacy and security safeguards into the architecture of our platform and into the core of our operations, we provide that our platform is not only secure but that the brands and marketers who depend on it are also poised for the future of digital engagement. This proactive approach has allowed us to maintain trust with our customers—and for our customers to maintain trust with their customers.

Let’s take a look at some of the ways that Braze has worked to safeguard data privacy and security—and how those efforts help marketers provide a better, privacy- and security-conscious customer experience for their users.

1. Using encryption to make data within Braze more secure

When marketers are using data within Braze to target, personalize, or optimize their campaigns, they shouldn’t have to worry about the security of that information. To keep that information confidential, Braze uses industry-accepted products to encrypt all data in transit to Braze and at rest.

We also perform additional encryption of API keys/passwords and make it possible for companies to hash any personally identifiable information (PII), which assists with complying with applicable privacy laws, in circumstances where our customers are obligated to provide login, access, or transfer data to third parties. Our customers can also define which fields in Braze should be treated as PII, which helps to identify and manage PII across the Braze platform.

2. Leveraging penetration testing and continuous security assessments

Users are generally reluctant to share information with a company that is unable to keep it safe. To help our customers protect their data, Braze has made a point of moving beyond standard security measures and embracing a proactive approach.

To that end, we’ve long leveraged regular product penetration testing, conducted by independent third-party security firms, and have also introduced continuous assessment of potential security issues by our bug bounty researchers, supporting our overall security strategy. And while no single assessment type can ever guarantee complete security, these tests do rigorously assess our platform’s defenses against the latest threats, allowing us to swiftly identify and mitigate vulnerabilities when they do emerge.

3. Achieving and maintaining ISO 27001 and SOC 2 Type 2 certifications

Just like customers need to be able to trust that the brands they engage with are taking data security seriously, our customers need to be able to trust that security is an ongoing effort here at Braze. Our commitment to security is reflected in our attainment of the ISO 27001 certification and the SOC 2 Type 2 audit completion. These certifications are a testament to our rigorous security management processes and cover a broad spectrum of criteria—from operational security to risk management and from employee security awareness to environmental controls.

ISO 27001 certification helps us ensure that a robust Information Security Management System (ISMS) is in place. This certification requires a holistic approach to managing company information, focusing on continuous improvement.

Similarly, SOC 2 Type 2 is not merely a snapshot but a more extensive audit that evaluates our operational effectiveness over time. This includes detailed reviews of our control activities and their effectiveness in ensuring the security, availability, and confidentiality of the data we handle.

4. Providing marketers with a special Braze instance for healthcare data

For heavily regulated industries like healthcare, the rules and laws that govern how data can be collected, handled, and acted on are often stricter than for other verticals. That can limit these companies’ ability to achieve modern, data-driven customer engagement use cases because the technologies they leverage to power their campaigns aren’t compliant.

At Braze, we recognize the unique sensitivity that comes with health-related data and created a special instance of our product to help brands comply with the US Health Insurance Portability and Accountability Act (HIPAA). As a result, protected health information (PHI) that is passed to Braze is stored on a separate Braze database cluster. For us, supporting HIPAA compliance is more than a regulatory requirement; it’s a fundamental component of our promise to clients in the healthcare sector, promoting that their data practices align with federal standards, help protect patient privacy, and allow for robust customer engagement even in the healthcare space.

“In many ways, the way that HIPAA requires Braze to operate for brands using PHI is the way we now operate across the board,” said Jon Hyman, Braze Cofounder and Chief Technology Officer (CTO). “For example, administrative safeguards in HIPAA required us to do a risk analysis, which we did. But that’s also a requirement for ISO 27001, where you have to make sure your information security management system conforms to high standards. And everything follows from that; making sure that we have proper controls, effective processes for things like terminating access to employees who depart, and a process for handling sensitive data across the board.”

5. Supporting ongoing GDPR compliance and compliance with other major data laws

The implementation of GDPR in 2018 marked a significant shift in data protection laws, emphasizing the rights of individuals over their personal data. It also ushered in a new era where gathering data in thoughtless or ad hoc ways presented significant risks to marketers and their customer engagement efforts.

Braze has been invested in GDPR compliance from day one and has been consistent when it comes to enabling brands to manage compliance with this and other privacy laws without sacrificing the quality of their customer engagement campaigns. We help provide the tools our clients need to meet their GDPR obligations, from data rectification and erasure to handling data access requests in an efficient and timely manner. At the same time, Braze features like Connected Content make it possible for marketers to personalize messages to users with individually relevant information without holding that data within Braze, making it easier for brands to balance privacy and exceptional customer experiences.

Braze has always worked hard to anticipate future trends in privacy regulation and to support our customer base as they work to comply with shifting laws and regulations. What does that look like in practice? For instance, updates to the CCPA now mean that companies who received a “do not sell or share data” request from one of their users may no longer use that individual’s email address to create a lookalike audience or carry out other related targeting. To assist our customers as they look to maintain effective customer engagement programs despite this new limitation, Braze has made it possible for marketers to create a suppression list that includes any affected users, allowing them to be automatically excluded from advertising audiences, assisting with compliance without undermining strategies associated with other customers.

Key takeaway: Brands need secure, data-driven customer engagement at scale

At Braze, our rigorous security measures and privacy-by-design approach provide our customers with the confidence to innovate within their customer engagement strategies without compromising on compliance or security. This approach empowers Braze customers to harness the full power of their data to create personalized, timely, and impactful interactions with their users in thoughtful ways, making it possible for them to meet their users’ expectations in ways that respect those users’ privacy and trust.

Interested in learning more about how Braze thinks about privacy? Check out our privacy portal.

Customer engagement data protection compliance FAQs

What is the importance of GDPR and CCPA compliance for my business?

Most brands that gather personal information for any purpose on either European data subjects or California residents need to ensure that they are in compliance with applicable privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), respectively; if they fail to do so, they could potentially face significant fines and civil penalties.

For marketers, who increasingly rely on data to inform their customer engagement efforts, staying compliant with these laws is particularly important. By staying compliant with these laws, brands aren’t just reducing the risk that they face financial penalties, they’re also signalling to current and potential customers that they value their audience’s privacy and that their customer engagement program is built with privacy and security in mind.

What security measures has Braze implemented to protect customer data?

Data privacy/security is natively embedded into all aspects of our platform to align with global data privacy/security standards and best practices. Braze uses industry-accepted products to encrypt all data in transit to Braze and at rest. To uphold standards, Braze performs additional encryption of API keys/passwords and offers PII hashing when clients must provide login, access, or transfer data to third parties. Clients can also define which fields in Braze should be treated as PII for further protection of data. All private health data is stored on a separate Braze database cluster to support HIPAA safeguard requirements.

What security certifications does Braze hold?

Back in 2016, Braze worked with third-party experts on the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to build out a HIPAA-compliance offering of our product, and in 2017, we completed a successful Service Organization Control (SOC) 2 Type 1 examination. All of these efforts are part of our focus on continual, incremental improvements to the Braze approach to security.

In 2018, after a long and thorough process, Braze successfully completed its SOC 2 Type 2 audit and ISO 27001 certification. These key new security steps meant that our customers can feel even more confident that we do what we say we do with respect to our security controls. In the years since, Braze has maintained these certifications as part of our overall data privacy and security efforts.

What does "privacy by design" mean, and how does Braze implement it?

“Privacy by design” means ensuring that systems are built from the beginning with the intention of protecting personal data and privacy rights of consumers such as using industry standard security practices and following the wishes of consumers with respect to their personal data.

At Braze, we’ve emphasized data privacy and security across our organization from the very start. Strong security requires a smart development process, which is why we’ve prioritized thoughtful code reviews as part of our standard activities since the early days of the company. If an organization is pushing out code that is not being adequately reviewed, it is a security risk on par to a lack of traditional safeguards, such as firewalls and virus protection. We’ve also built out and maintained an ongoing security security attestation roadmap featuring the following common certifications and actions:

• Engage a security vendor to carry out digital security audits and penetration tests
• Evaluate security controls against the SANS Institute’s Cybersecurity Risk Framework
• Implement the US Health Insurance Portability and Accountability Act (HIPAA)’s data privacy and security rules
• Complete the Service Organization Control (SOC) 2 Type 1 examination, developed to protect systems against unauthorized access, and the SOC 2 Type 2 audit, where a third-party auditor produces an attestation report describing aspects of the security control of the company
• Update data policies and contracts with technical partners to ensure material compliance with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant legislation
• Launch and maintain an ongoing bug bounty program to encourage third-party security researchers to proactively identify and flag potential vulnerabilities in our systems

How does a SOC 2 Type 2 audit of Braze help to protect customer data?

The American Institute of Certified Public Accountants (AICPA) oversees the SOC 2 standard, which sets down compliance requirements in connection with a given company’s security controls, ensuring that Braze and other organizations have established strict information security policies and procedures that cover five Trust Service Principles: Availability, Security, Processing Integrity, Confidentiality, and Privacy.

When Braze undergoes a SOC 2 audit, we’re asked to outline how its security processes and controls are designed to meet the criteria for a given Trust Service Principle. Then these controls are reviewed by a third-party auditor to assess the suitability of those security controls when it comes to design and operating effectiveness. Ultimately, the SOC 2 compliance process is focused on how Braze addresses information security risks, and how we implement proper controls to mitigate those risks to acceptable levels.

The SOC 2 process is a technical audit, where the third-party auditor produces an attestation report describing aspects of the security control of the company. The first part of the audit, known as SOC 2 Type 1, is a so-called “point in time” audit, where the independent auditing firm reviews documentation, systems, and controls in place, and asks for evidence of their current use. If the evidence a company provides demonstrates that they have a suitably designed information security management system, generally they’ll complete the Type 1 audit. The SOC 2 Type 2 audit, on the other hand, takes place over a longer period—at least six months. During this time, Braze staff must demonstrate that we operate in a normal day-to-day manner that complies with the controls that we outlined in the Type 1.

As part of this process, an outside auditor comes onsite to re-review the description of Braze security controls and requested a random sampling of evidence of those controls’ use over the previous six months to verify adherence. Under this process, the auditor is looking to make sure that what a company says it’s doing reflects what it’s actually doing: “You say all new hires have a background check performed? Give me a list of new hires and I’ll randomly pick a few, and we’ll see if you can provide me with evidence that you did their background checks. You say all code changes are reviewed before being deployed to production? Give me a list of all the code changes from the past months, I’ll pick a few at random, and then I’ll ask you to provide me with evidence of the chain of approval.”

By undergoing this level of scrutiny and assessment, Braze can demonstrate not just that our organization takes security seriously, but that we are actively taking effective measures to safeguard the information at our disposal.

Forward Looking Statements

This blog post contains “forward-looking statements” within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding the performance of and expected benefits from Braze and its products and data privacy programs. These forward-looking statements are based on the current assumptions, expectations and beliefs of Braze, and are subject to substantial risks, uncertainties and changes in circumstances that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Further information on potential factors that could affect Braze results are included in the Braze Quarterly Report on Form 10-Q for the fiscal quarter ended July 31, 2024, filed with the U.S. Securities and Exchange Commission on September 6, 2024, and the other public filings of Braze with the U.S. Securities and Exchange Commission. The forward-looking statements included in this blog post represent the views of Braze only as of the date of this blog post, and Braze assumes no obligation, and does not intend to update these forward-looking statements, except as required by law.