Security & Privacy Overview

Updated: 05-22-2025

We understand that agencies working with sensitive information require a clear, reliable security posture from their vendors. This page outlines the technical and procedural safeguards we have in place to protect user data, ensure system availability, and support compliance with relevant standards.

Our platform is built on enterprise-grade cloud infrastructure and follows best practices in data protection, access control, encryption, and incident response. We are committed to transparency and collaboration with agency security teams to meet review requirements and maintain trust at every level.

The Briefing Room is a secure, cloud-based video training platform designed exclusively for law enforcement education and policy reinforcement. It does not collect, store, transmit, or interact with any CJIS-regulated data, such as criminal history records, biometric information, or case-related intelligence. Our platform delivers non-agency-specific training videos, along with optional discussion guides and tracking features for internal training purposes. Because The Briefing Room operates entirely outside the scope of CJIS data systems, no CJIS compliance requirements apply to its use.

If you require additional detail or documentation, our team is available to support your evaluation process.
You can email use at contact (at) thebriefingroom.com.

Service Commitments & Uptime Guarantee

We guarantee a 99.9% uptime as outlined this Service Level Agreement (SLA). We monitor our services for availability and performance using analytics and Google Cloud Platform’s infrastructure for high reliability and scalability.

Hosting Infrastructure & Environment

Our platform is hosted on a managed cloud environment built on Google Cloud Platform (GCP). This environment is designed to meet the demands of enterprise security, reliability, and performance. Key features include:

  • Global redundancy and failover support

  • Data center physical security managed by Google

  • Scalable, container-based architecture with resource isolation

SOC2 and ISO 27001 Compliance: Our infrastructure is compliant with leading international standards for information security, ensuring that customer data is protected against unauthorized access and security incidents

Hosting Environment

  • Enterprise Cloud Infrastructure: Powered by Google Cloud Platform’s premium tier network
  • Geographic Distribution: Multi-region deployment with data residency controls
  • Isolation: Container-based architecture ensuring complete tenant isolation
  • Uptime SLA: 99.9% uptime guarantee with proactive monitoring

Network Security

  • DDoS Protection: Advanced DDoS mitigation at network edge
  • Web Application Firewall (WAF): Real-time threat detection and blocking
  • IP Allowlisting: Configurable IP restrictions for administrative access
  • CDN Security: Global content delivery network with built-in security features
  • SSL/TLS Encryption: Enterprise-grade SSL certificates with Perfect Forward Secrecy

View current uptime monitor here 

Authentication & Access Control

Access to the platform is governed by strict role-based permissions. Each user is assigned a defined access level that determines exactly what content and functionality they can view or interact with. Permissions are dynamically managed and updated to reflect user status, training progression, or administrative changes.

Key safeguards include:

  • Role-based restrictions to limit access by job function or clearance level

  • Automated access revocation when a user is no longer authorized

  • Audit-friendly activity logging to track login attempts and access history

  • Admin-level access restricted to approved internal personnel only

We follow the principle of least privilege—ensuring users only see what they are permitted to, with no blanket or open access to sensitive content.

Multi-Factor Authentication (MFA)

We understand that many agencies require additional layers of protection beyond standard username and password logins. To support this, Multi-Factor Authentication (MFA) is available and can be enabled or disabled at the agency level based on your internal security requirements.

Key features include:

  • Agency-controlled MFA enforcement — easily configurable per organization

  • Support for industry-standard TOTP apps (e.g., Google Authenticator, Microsoft Authenticator)

  • Active for administrative and privileged roles by default in secure configurations

  • Available as part of our enterprise security package

MFA helps prevent unauthorized access by requiring users to verify their identity using a second device before logging in. Agencies that require MFA for all users can enforce it platform-wide, while others may choose to apply it to specific user roles or departments.

If your agency would like MFA configured for your account, please contact our team to activate it.

Optional Enterprise SSO

For agencies requiring identity federation or centralized authentication, Single Sign-On (SSO) integration is available as an optional add-on. This allows users to authenticate via your organization’s identity provider (e.g. Microsoft, Okta, or Google Workspace), improving access control and alignment with internal security policies.

We currently use secure password-based authentication for user and admin logins. At this time:

    • Multi-Factor Authentication (MFA) is not yet required, but we recognize its importance and are planning to implement it—starting with administrative and editorial roles.

    • Single Sign-On (SSO) is not currently supported but is under consideration for enterprise clients who require federated identity support.

Data Privacy & User Data Practices

We collect only the information necessary to deliver a secure, reliable experience. This includes data needed to provide access, track training progress, and support internal reporting. We do not sell user data or share it with third parties for marketing purposes.

User data is stored on enterprise-grade infrastructure with encryption at rest and in transit. Access is restricted to authorized personnel only and managed through role-based permissions and internal controls. Anonymized usage data may be used to improve platform performance and usability.

We support agency-level configuration of login policies, permissions, and access controls to help align with your internal privacy standards. If your agency requires additional controls, restrictions, or documentation, our team is available to support your review.

For more details, you can refer to our Privacy Policy, or contact us directly with any questions or concerns. We’re committed to being clear, responsive, and respectful in all matters related to data privacy.

    • Personal Identifiable Information (PII): Limited collection, primarily for authentication and platform usage. We do not sell or share PII with third parties.

    • Usage Logs: We log user interactions (such as article reads and search activity) for performance monitoring and content improvement. These logs are anonymized and stored securely.

    • Training Logs: For agencies that choose to use The Briefing Room’s built-in training records system, all training logs and attendance data are securely retained and not subject to automatic deletion. While we maintain these records indefinitely as part of the platform’s functionality, we strongly recommend that agencies download and archive their training data on their own internal systems on a monthly basis. This ensures local access, supports long-term recordkeeping policies, and provides redundancy in accordance with your agency’s data retention and compliance protocols.

Incident Response & Breach Notification

We take system security and data integrity seriously. We maintain clear internal procedures to detect, contain, and respond to any suspected security incident in a timely and responsible manner.

If a security event occurs—such as unauthorized access, data exposure, or service disruption—we follow these core steps:

  1. Detection and Verification
    Our team monitors system activity and performance. If an anomaly or potential threat is identified, we immediately investigate to determine whether an actual incident has occurred.

  2. Containment and Mitigation
    If an incident is confirmed, we isolate the affected systems to prevent further impact and begin remediation. This may include revoking access, restoring backups, or applying emergency patches.

  3. Notification
    If personal data or sensitive information has been compromised, we will notify affected agencies or users within 72 hours of confirmation, in accordance with applicable laws and best practices.

  4. Review and Prevention
    After resolution, we conduct a post-incident review to identify root causes and apply any necessary improvements to strengthen future safeguards.

We are committed to transparency, prompt communication, and continuous improvement. If your agency requires additional reporting procedures or technical documentation, we are happy to collaborate to meet your internal standards.

Scroll to Top