Trust Center

Security posture, compliance roadmap, and how we protect your data.

Compliance roadmap

GDPR (EU/UK) — compliant via Data Processing Addendum, SCC Module 2 for international transfers, 72-hour breach notification.
LGPD (Brazil) — compliant by default; data resident in Brazil where requested.
SOC 2 Type II — controls implemented; formal audit targeted Q3 2026.
HIPAA — BAA available on request for healthcare workloads (Enterprise tier).
ISO 27001 — controls aligned; certification pursued in 2027.

Security architecture

Defense-in-depth across the request path:

Edge — Caddy reverse proxy on TLS 1.2+ with automatic Let's Encrypt renewal. HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict-origin Referrer-Policy, restrictive Permissions-Policy.
Auth gateway — All API calls validated by auth-proxy:v3 against Bearer keys (SHA-256 hashed in Redis), per-tier sliding-window rate limits, and per-product gating before any backend is reached.
CSP nonce — Per-request cryptographic nonce on every inline script; 'unsafe-inline' is non-functional. Prevents XSS even on dynamic user content.
Marketplace webhooks — Microsoft AD JWT signature validated against JWKS (RS256), audience and issuer checked, with operation_id replay-attack defense and idempotency guards.
Internal isolation — Each backend container exposes services only via X-Internal-Key forwarded by the auth-proxy. Backends bound to 127.0.0.1 (loopback) so they are unreachable from external networks even if a misconfiguration occurred.
Container resilience — All production containers have restart=unless-stopped + healthchecks. Unhealthy containers auto-restart within ~90 seconds.

Data handling

API payloads — processed in-memory and discarded immediately on response. We do not log, store, or train on customer payloads. Logs contain only metadata (timestamp, endpoint, status, latency, byte count).
API keys — stored as SHA-256 hashes; the plaintext key exists only on your machine after issuance.
PII redaction — error logs scrub email, phone, IP, and other common PII patterns before being sent to our error tracker (Glitchtip, self-hosted).
Encryption — TLS in transit (no plaintext anywhere); volume-level encryption at rest at the host layer.

Sub-processors

Updated 2026-04-28. We give 30 days' notice before adding new sub-processors.

Latitude.sh (Brazil/USA) — bare-metal hosting. SOC 2 Type II.
Microsoft Corporation (Azure Marketplace billing). DPA / SCC.
Stripe (US) — direct payment processing. PCI-DSS Level 1.
Plausible (self-hosted) — privacy-friendly analytics. No personal data shipped off our infrastructure.

Breach response

If we discover a Personal Data Breach as defined by GDPR Article 4(12):

Contain and assess scope within 1 hour.
Notify affected Controllers within 72 hours via the email on file.
Provide nature, categories, approximate counts, likely consequences, and mitigation steps.
Post a public incident report to the status page.

Vulnerability disclosure

We welcome responsible disclosure. Email security@brainiall.com with proof-of-concept details. We acknowledge within 1 business day, target a 90-day coordinated disclosure window, and credit reporters in our public CHANGELOG (with permission).

Out-of-scope: rate limiting, social engineering, physical attacks, denial of service via load.
Bounty: Not formalized yet — we offer recognition + Brainiall credits for valid reports.

Subscribe to security updates

We notify customers and the public via the status page for security advisories and post-mortems. For enterprise-tier customers, we also send signed RFC-5322 email alerts to your designated security contact.