brightwheel Security FAQs

Learn more about brightwheel's commitment and approach to security.

Sabrina avatar
Written by Sabrina
Updated over a week ago

Trust is a key building block in brightwheel’s promise to put you first, with ongoing improvements to ensure the safety, privacy, security, and reliability of your experience. We are proud to offer:

  • Enhanced account safety with two-factor authentication, strict password requirements, and cloud-based storage using Amazon Web Services.

  • A stringent Privacy Policy that dictates no personal information can be sold to third parties.

  • Highest financial data security and compliance levels (PCI Level 1) for invoicing and processing payments, so no confidential banking information is stored on brightwheel.

  • Ongoing reliability with 99.9% uptime and fraud protection with 24x7 monitoring by a dedicated in-house team. For a real-time update on brightwheel’s availability, see here.

If you need to print the FAQs contained in the article for your program, right-click in your browser window and select Print!


What is brightwheel's approach to data security?

Brightwheel has the largest engineering team in the early education industry. In addition to 24x7 monitoring of all production data and infrastructure, there is an ongoing investment to employ the latest technology to keep your data safe.


What is brightwheel's data infrastructure?

All brightwheel application servers and databases are hosted within Amazon Web Services (AWS) data centers. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS data center operations are accredited under:

  • ISO 27001

  • SOC1 and SOC2 SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • PCI Level 1

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

Data center staff monitor electrical, mechanical, and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

View AWS SOC Compliance information here.


What is brightwheel's approach to application security?

All brightwheel software is under continuous review. Brightwheel also undergoes periodic third-party security audits to ensure the safety of our application and infrastructure.


Does brightwheel sell/share data with third parties?

We do not sell any personal information to third parties, and your personal data is only used in accordance with our Privacy Policy. Programs can upload data, and they can access, download, or request that data from us at any time.


How does brightwheel safeguard my billing and payment information?

Brightwheel has partnered with a payment processor (Stripe) that is certified as PCI Level 1, the most stringent level of certification available. See their security site for detailed information about their security measures.

No one at brightwheel has any access to any customer banking records, and all families using brightwheel for payment have to go through a two-step authentication process to verify their accounts.


Is brightwheel HIPAA or FERPA compliant?

Brightwheel enables programs to stay compliant with FERPA. The Terms of Service and Privacy Policy have been written to protect student information in accordance with the FERPA requirements.

For HIPAA guidance, it is recommended you contact a HIPAA compliance officer directly. Although brightwheel meets many of the requirements of HIPAA, brightwheel does not certify HIPAA compliance for its platform. It’s important to note that the U.S. Department of Health & Human Services (HHS) has stated that HIPAA regulations do not apply to the type of information stored and collected in brightwheel or similar software. HHS explains that HIPAA does not apply to schools in most cases because a school: “(1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.


Does brightwheel use single sign-on?

At this time, single sign-on is not a feature available on the brightwheel application. However, brightwheel is the most secure all-in-one childcare and preschool software, setting the standard as the first and only early education app to offer two-factor authentication at sign-in for enhanced account protection.


How would brightwheel handle a data breach?

There is 24x7 monitoring by an in-house dedicated team, and if there is any suspicious activity observed, there are protocols in place to investigate and take action immediately, depending on the situation.

To catch any unusual account activity, there are email notices sent to admins anytime a new admin is added to the program and to parents anytime a new student contact has been added for their student. These email notices are immediate security measures in place to alert you of any unusual activity. Ensure you review these security notices to determine the appropriate steps to follow in the event you do not recognize the activity.


How does brightwheel handle a fraudulent charge(s)?

We have a full team dedicated to monitoring payments and use industry-leading software to pre-emptively block high-risk charges. Our payment processor, Stripe, uses a machine learning model and has a vast network of data to determine if cards or individuals have been involved in fraud or disputes in the past.

If a payer uses a fraudulent card that is later disputed, we will work with the program one-on-one to determine the best path forward. We understand how devastating this scenario can be, so our payment operations team looks at each case individually and communicates with your program to support you.


What access do parents have when they leave a program?

Activated parents can access their accounts until they are deactivated or removed from the student’s profile by the program. Activated parents and admins can request a parent’s account be deactivated, but the parent will ultimately have to finalize the deactivation using a link sent to them via email. Admins can remove a parent from a student’s profile at any time as well.


What is the best way to manage staff accounts when they leave a program?

We suggest that a program administrator export any profile attachments and timecard/payroll reports needed for the staff member and then delete the profile.

It’s important to make sure that you export any information needed prior to deleting the profile to make this process as smooth as possible. It’s also important to note that once a staff member has been removed from brightwheel, their name will no longer appear in the drop-down menu when viewing Timecards and Payroll reports. If a report needs to be run after an employee has already been removed, please see our payroll for removed staff resource.


What are some tips administrators, staff, or families can follow to protect their accounts and keep their data secure?

💡Tips for Admins, Staff, and Families

What actions can I take to keep my account as secure as possible?

  • Keep your brightwheel app up to date to ensure you are using the most secure version of brightwheel. It can be updated manually or set up for automatic updates to be downloaded each time a new version is released.

  • Use two-factor authentication at sign-in and do not disable it. This is a security best practice and is designed to make sure that you’re the only person who can access your account, with the use of two different forms of verification.

  • Frequently rotate passwords and make sure it meets minimum security requirements. Ensure it’s unique, long, and memorable with symbols, letters, and numbers.

  • Set up a passcode on your device’s lock screen to prevent anyone from being able to just pick up your device and dig into your data.

💡Tips for Admins and Staff

How should I manage any photos and videos I’ve taken on my personal device and uploaded to brightwheel?

We recommend establishing a weekly practice of deleting all photos and videos you’ve taken on your personal device once they’ve been uploaded and shared to a student’s feed. This is a best practice to ensure photos and videos that don’t need to be don’t continue to be stored on your device.

What are the best practices for shared logins?

We strongly recommend you avoid sharing login information at your program. If multiple staff are using the same device, use Room Device Mode. If staff already share a login, remember to change passwords at the time of termination.

💡Additional Tips for Admins Only

How can I best manage staff access at my program?

Review our Teacher and Staff Permissions resource to understand what role options are available to use in your program and then assign staff the appropriate role depending on your program’s needs.

How can I leverage brightwheel further to improve my program’s security and offerings?

If you’re not already using brightwheel Billing, we highly recommend implementing this feature in your program! You can encourage families to pay online using brightwheel, and they can add their own payment details. This way, families directly enter their payment details, and your program is not responsible for storing their information or safeguarding checks/cash until deposited.


If you have questions related to brightwheel security or similar topics, please contact our Support team for further assistance!

Did this answer your question?