Security and compliance posture for Canadian insurers, banks, telecoms, and government buyers evaluating BrightCat for enterprise use.
BrightCat delivers data primarily through Snowflake Secure Data Share and Snowflake Marketplace. Clients receive a live, read-only share inside their own Snowflake account — no file transfers, no FTP, no extract sitting in a shared drive. This delivery model inherits Snowflake's enterprise security posture, including SOC 2 Type II, ISO 27001, HIPAA readiness, PCI DSS, and encryption in transit (TLS 1.2+) and at rest (AES-256).
For clients using the MCP connector, access is authenticated via OAuth with scoped, read-only permissions. Every query is logged in Snowflake's native audit trail. For clients receiving structured files, delivery uses SFTP or encrypted cloud storage with rotating credentials and time-limited access.
What encryption is applied to BrightCat data?
Data in transit is encrypted using TLS 1.2 or higher. Data at rest inside the Snowflake delivery environment is encrypted using AES-256. Access is scoped to the client's Snowflake account with no cross-tenant data visibility.
Does BrightCat data leave the client's environment?
No. Snowflake Secure Data Share delivers a live reference to BrightCat's data that is queryable only from inside the client's Snowflake account. The client's queries, joins, and derived datasets do not leave their environment.
BrightCat products deliver property-level and address-level data, not person-level data. The core dataset describes properties — their characteristics, listing history, sale events, and lifecycle states — not the individuals who own or occupy them. Names, phone numbers, email addresses, and government identifiers are not included in BrightCat's core products.
This content posture is deliberate. Property-level signal is what enterprise buyers need for underwriting, valuation, retention timing, and portfolio monitoring. Person-level enrichment adds privacy burden without adding signal for these use cases. Clients who need person-level data handle that match inside their own CRM under their own consent framework.
Is BrightCat data personal information under PIPEDA or Law 25?
Property-level and address-level data drawn from public property listing events is generally treated as public-record or public-domain information in Canadian privacy frameworks. How the buyer chooses to match it to their own customer records, and what consents apply on their side, is handled inside the buyer's existing privacy framework. BrightCat's delivered data does not contain names, phones, emails, or government identifiers.
Does BrightCat scrape public websites or consumer portals?
No. BrightCat operates on licensed property data under long-term commercial contracts held continuously since 2014. The company does not scrape MLS sites, consumer real estate portals, or public listing websites.
BrightCat's compliance posture is structured around the regulatory frameworks relevant to Canadian and international enterprise clients:
Specific certifications, attestations, and supporting documentation are available to enterprise clients under NDA as part of the procurement due-diligence process.
BrightCat operates a trained team with documented runbooks covering the full data pipeline — ingestion, validation, reconciliation, delivery, and incident response. Pipeline operations have run continuously on a weekly cadence since 2014, across source-file format changes, provincial data-source shifts, and infrastructure evolution.
Access to production data and delivery infrastructure is restricted to trained personnel on a need-to-know basis. Administrative credentials are managed through password vaults with multi-factor authentication. Role-based access controls separate pipeline operations from client-facing delivery. Production access is logged and reviewed.
What happens if a key person becomes unavailable?
Pipeline operations are documented in runbooks that enable continuity. Trained team members can run the weekly pipeline, generate client deliverables, and respond to client support requests. Twelve years of continuous weekly operations is itself evidence that the pipeline is not fragile to individual availability.
Where is BrightCat data stored and processed?
Production delivery is through Snowflake. Region and hosting specifics are scoped to the client's requirements during engagement. Canadian-residency requirements are standard in BrightCat's delivery setup.
BrightCat data is licensed under the BrightCat Master Data License Agreement (MDLA), a framework designed for enterprise property-intelligence use cases. Standard licensing terms cover:
A current MDLA reference document is available to enterprise procurement teams under NDA. The licensing framework summary outlines the shape of the commercial agreement for buyer orientation. BrightCat does not resell or redistribute third-party licensed data outside the terms of its upstream supply contracts.
BrightCat's incident response posture covers three categories: data-quality incidents (a pipeline run produces anomalous output), delivery incidents (a scheduled share or file delivery is delayed or fails), and security incidents (unauthorized access, credential compromise, or other security-relevant events).
For data-quality and delivery incidents, clients are notified directly and provided with a remediation plan and revised timeline. For security-relevant incidents, notification follows the timelines and procedures required under the client's contract and applicable regulatory frameworks, including PIPEDA's breach-of-security-safeguards provisions where applicable.
BrightCat maintains an incident log and reviews root causes to inform pipeline hardening. Enterprise clients can request a standing review cadence as part of their engagement.
BrightCat supports enterprise procurement and privacy-review processes. Standard due-diligence deliverables include:
Procurement and privacy teams can route detailed security, compliance, or due-diligence questions to alexandria@brightcatdata.com. Response timeline for security-review requests is typically one to three business days.