BrighterBalance is delivered as a Software-as-a-Service (SaaS) application over standard HTTPS (port 443). No inbound firewall changes are required for districts to use BrighterBalance. Outbound HTTPS access to the domains listed below is sufficient. This article documents recommended whitelist entries for districts that operate content filters, SSL inspection appliances, or restrictive egress firewalls.

Quick Reference

For most districts, whitelisting these two domains in your content filter is sufficient:

Including all subdomains (e.g., *.brighterbalance.app) covers all current and future BrighterBalance services.

No Firewall Changes Required

BrighterBalance does not require any inbound firewall rules, custom ports, VPN configuration, or local network agents. All communication is initiated by the user's browser to BrighterBalance servers over HTTPS (TCP port 443) using standard TLS 1.2 or higher.

If your district allows general web traffic on port 443 to the public internet, no firewall changes are needed.

Recommended Whitelist for Content Filters

Districts that operate per-domain content filters (such as Lightspeed Systems, Securly, GoGuardian, ContentKeeper, Cisco Umbrella, Smoothwall, or Linewize) should add the following domains to their allow-list. The first two entries are required; the remaining entries cover third-party services BrighterBalance depends on.

Required (BrighterBalance-owned)

Strongly Recommended (Third-Party Services)

If your content filter supports it, allowing the parent domains listed above with all subdomains (*.domain.com) is the simplest configuration.

SSL / TLS Inspection

If your district performs SSL inspection (deep packet inspection of HTTPS traffic), please ensure that the BrighterBalance domains listed above are excluded from SSL inspection, or that your inspection certificate is properly trusted by client devices.

BrighterBalance enforces HTTP Strict Transport Security (HSTS) and uses HTTP/2 with TLS 1.2 and TLS 1.3. Some legacy SSL inspection appliances do not properly handle HTTP/2 or HSTS preload, which can result in connection failures or certificate warnings. The cleanest configuration is to bypass inspection for BrighterBalance traffic.

Bandwidth Planning

BrighterBalance is a lightweight web application. For capacity planning:

• Initial application load: approximately 1.5 to 2.5 MB (cached aggressively after first load)
• Behavior log submission: under 10 KB per log
• Voice memo upload: typical memo is 30 to 200 KB
• Photo upload: compressed to under 500 KB per image
• AI Advisor response: streamed; under 50 KB per conversation turn

A typical teacher uses well under 5 MB per day of active use after initial load.

Common Content Filters Tested

BrighterBalance has been verified to work with default deployments of:

• Lightspeed Systems Filter
• Securly
• GoGuardian
• Cisco Umbrella
• ContentKeeper
• Linewize / Smoothwall

If your district uses a different content filter and encounters access issues, contact hello@brighterbalance.app and we will work with your IT team directly.

Troubleshooting

Symptom: Login page loads but sign-in fails. Likely cause: OAuth provider domains (Google or Microsoft) are blocked. Add the SSO domains listed above to your allow-list.

Symptom: AI Advisor returns no response or errors. Likely cause: api.anthropic.com is blocked or being intercepted by SSL inspection. Add to allow-list and exclude from inspection.

Symptom: Pages load partially or appear unstyled. Likely cause: Vercel CDN domains or Google Fonts are blocked. Add *.vercel.app and fonts.googleapis.com / fonts.gstatic.com to allow-list.

Symptom: Login or any HTTPS request fails with certificate errors. Likely cause: SSL inspection certificate is not trusted on the client device, or the inspection appliance does not support HTTP/2. Bypass inspection for BrighterBalance domains.

For any other issue, contact hello@brighterbalance.app with the symptom, browser, and (if available) the content filter product and version.