This page is for IT administrators and security consultants seeking to complete a security review of BrightSlide.


    Q: Does BrightSlide collect any user data and if so, what?

    A: Yes, the initial registration process collects the following data and transmits it to the BrightCarbon licence server:

    • Company Name
    • User Name
    • Business Email Address
    • Account ID – made up from various computer profile attributes and displayed in the registration window
    • Platform Data – Operating System and version, PowerPoint version and UI language, BrightSlide version

    The platform data is updated from time to time so that we can let user know if they are on a particularly old version of the product.


    Q: What kind of data encryption is used?

    A: The registration information is transported to our licence server via https requests.


    Q: What data backup and protection plans are in place?

    A: BrightSlide does not collect confidential data. Account registration information is backed up by a trusted service provider.


    Q: What security standard have been applied during the development?

    A: BrightSlide does not collect, store or transfer confidential data and hence none of the typical industry standards are applicable, including NIST and OWASP.


    Q: What languages are supported by the software user interface:

    A: The BrightSlide UI is currently available in English.


    Q: Is help/training/support documentation multilingual?

    A: No. In-app help and online website helps is in English.


    Q: Does the vendor have PCI, SOC2, SOC3 or ISO27001 certification?

    A: No.


    Q: If the vendor is hosting their solution via a third-party, is the third-party hosting provider SOC2, SOC3 or ISO 27001 certified?

    A: BrightSlide is not a hosted solution.


    Q: Is the product cloud-based?

    A: No.


    Q: What is the SLA availability?

    A: The solution is a client-side application with no service interaction.


    Q: How is authorisation to the service authenticated?

    A: The solution is a client-side application with no service interaction.


    Q: What is the vendor’s typical/largest implementation of solution for a single client? (i.e. number of internal or external users/end-users)

    A: Please contact us for this confidential information.


    Q: What environments are supported?

    A: Windows and macOS desktop version of Microsoft PowerPoint with a Microsoft 365 account or perpetual version of Office 2016 and higher.


    Q: Does the vendor provide a SSO solution?

    A: No. There is no sign on required.


    Q: Does the vendor provide MFA functionality for all users?

    A: No. This is not a cloud-based solution.


    Q: Is this product/technology AODA compliant.

    A: No. But it includes elements of WCAG 2.0 and is hosted within PowerPoint which includes an accessibility checker.


    Q: Does the vendor perform third-party risk assessments / PEN testing, at least annually, to identify potential threats and vulnerabilities that could impact customer services or customer data? (application level and network level)

    A: No. the solution is not SaaS and the only data held is that shown above. No company-sensitive data is collected or stored.


    Q: Does the product make use of third party services?

    A: BrightCarbon’s website and licence server is hosted by a third party.


    Q: Do you have a data centre and if so, where is it located?

    A: The solution does not make use of a data centre.


    Q: If you have a data center, what level of physical security is provided to protect it from malicious action?

    A: The solution does not make use of a data centre.


    Q: What anti-virus solutions are used to scan the software prior to publication?

    A: BitDefender and Microsoft Windows Defender. We also have a close partnership with Microsoft for resolving any false positive detections that may arise.


    Q: Why does BrightSlide make use of Windows APIs?

    A: We use around 100 external Windows and macOS APIs to facilitate various features. For example, keyboard APIs are used to create the Shift key shortcuts in the product, system cursor APIs are used to change the mouse cursor, the sleep API is used to make clipboard data transfers robust, the popen API is used on macOS to allow users to click support hyperlinks, and so on.


    Q: Can I activate the Microsoft Defender ASR policy “Block Win32 API calls from Office macros“?

    A: The short answer is no. Microsoft do not differentiate API calls made from VBA code carried inside an Office document and VBA code installed as part of an Office application add-in. Enabling this policy will cause BrightSlide to be blocked. An alternative approach could be to use these M365 admin centre policies to allow BrightSlide to run while preventing malicious document macros:

    – Only trust VBA macros that use V3 signatures

    – Block macros from running in Office files from the internet

    Join the BrightCarbon mailing list for monthly invites and resources

    Tell me more!