Security at Brainam

1.Compliance & roadmap

Brainam aligns its security programme to the standards expected of modern SaaS infrastructure, including the Digital Personal Data Protection Act, 2023 (DPDP), the EU/UK GDPR, and the CCPA/CPRA. We design and operate Brainam to be auditable to SOC 2 Trust Services Criteria from day one, even while we work towards formal certification.

Where our sub-processors hold certifications (such as MongoDB Atlas, Render and Cloudflare), we rely on their audited controls and review their compliance reports annually.

2.Data encryption

2.1 In transit

All traffic to Brainam — including the web application, API endpoints, webhook callbacks, and OAuth flows — is encrypted using TLS 1.2 or higher. We use Cloudflare to manage certificate issuance, renewal, and modern cipher suite enforcement. HTTP requests are automatically redirected to HTTPS, and HSTS is enabled.

2.2 At rest

Customer data stored in MongoDB Atlas is encrypted at rest using AES-256. Encryption keys are managed by the cloud provider and rotated according to provider policy. Database backups are encrypted using the same standard.

2.3 Secrets & credentials

OAuth tokens, third-party API keys, BYOK provider keys, and integration credentials are stored in an encrypted secrets vault separate from the primary database. Plain-text secrets are never written to logs, error reports, or analytics events.

3.Hosting & infrastructure

Brainam is hosted on enterprise-grade cloud infrastructure with established compliance pedigrees:

3.1 Network protection

• Production databases are not exposed to the public internet; access is permitted only from allow-listed application servers.
• Cloudflare provides DDoS protection, bot mitigation, and a Web Application Firewall in front of the application.
• Production environments are isolated from staging and development environments.

4.Access controls

4.1 Customer authentication

• Passwords are salted and hashed using industry-standard algorithms (never stored in plain text).
• Session tokens are short-lived JWTs stored client-side, with refresh on every privileged operation.
• Multi-factor authentication (MFA) is optional today and will be mandatory for admin roles in our next product release.
• Customers can revoke active sessions and rotate API keys from the in-product Security settings.

4.2 Internal access (Brainam team)

• Production system access is restricted to a small group of authorised engineers on a least-privilege, need-to-know basis.
• MFA is enforced on every administrative tool (cloud console, database, source control, secrets vault).
• All administrative actions on production are logged with an audit trail retained for at least 12 months.
• Access is reviewed quarterly and immediately revoked on role change or termination.
• Brainam staff do not access Customer Data except as strictly required for technical support and only with the Customer’s consent or as required by law.

4.3 Role-based access (RBAC)

Inside a Brainam workspace, administrators can assign granular roles to team members. Sensitive operations (billing, BYOK key management, account deletion) require admin-level permissions and are logged separately.

5.Application security

5.1 Secure development lifecycle

• Code review: all code changes require peer review before merging to production branches.
• Version control: source code is managed in a private GitHub organisation with MFA enforced.
• Separate environments: development, staging and production are fully separated, with production deployable only by authorised engineers.
• Dependency scanning: we use automated dependency scanning (GitHub Dependabot, npm audit) to detect and patch known vulnerabilities in third-party libraries.
• Static analysis: static security scanning runs in our CI pipeline on every pull request.
• Secrets in code: automated checks block accidental commits of API keys, tokens, or credentials.

5.2 Penetration testing

We perform internal security review on every significant feature. Independent third-party penetration tests are part of our SOC 2 roadmap and will be conducted at least annually once initiated.

5.3 Logging & monitoring

Application and infrastructure logs are centralised and retained for at least 12 months. Anomalies (failed login attempts, unusual API usage, suspicious admin actions) trigger alerts to the on-call engineer.

6.Customer data & AI boundaries

6.1 Workspace isolation

Each Brainam Customer’s data is logically isolated. Queries, agents, training content, and conversations are scoped to a workspace identifier and cannot be read across workspaces.

6.2 No training on Customer Data

6.3 Third-party AI providers

When your agent runs, prompts and necessary context are sent to one or more AI providers (Anthropic, OpenAI, Google) for inference. We rely on those providers’ API terms, which state that data sent via the API is not used to train their models. Specifically:

• Anthropic — zero-retention API; no model training.
• OpenAI — API data not used for training (per OpenAI Enterprise / API terms).
• Google (Gemini API) — API data not used for training (per Gemini API terms).

6.4 Data residency

Primary Customer Data is stored in MongoDB Atlas clusters located in Singapore or India. AI inference may be processed in the United States or European Union depending on the provider routing. International transfers are governed by Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

6.5 Data deletion

You can delete training content, conversations, agents, or your entire Account at any time from the product. Deleted data is removed from active databases immediately and from backups within 90 days. See our Privacy Policy for the full retention schedule.

7.Sub-processors

The full list of sub-processors we engage to deliver the Services — including their purpose, the categories of data they receive, and their location — is published and maintained on our Privacy Policy under Section 11. Enterprise customers can subscribe to advance notification of sub-processor changes by writing to security@brainam.ai.

8.Backup, recovery & resilience

8.1 Backups

• MongoDB Atlas performs continuous, point-in-time backups of all production databases.
• Backups are encrypted at rest using AES-256 and stored in a separate region from the primary cluster.
• Backup integrity is monitored automatically; failures trigger alerts.

8.2 Recovery objectives

Our internal targets, which we tighten as we grow:

• Recovery Point Objective (RPO): ≤ 1 hour for primary database data.
• Recovery Time Objective (RTO): ≤ 8 hours for full service restoration in a regional failure.

These are operational targets, not contractual SLAs. Bespoke SLAs are available for enterprise plans on request.

8.3 Business continuity

We maintain a documented business continuity and disaster-recovery plan covering provider outages, key personnel unavailability, and catastrophic data-centre events. The plan is reviewed at least annually.

9.Incident response

Brainam maintains a written incident-response plan that defines roles, severity classifications, communication channels, and post-incident review.

9.1 Breach notification

If we become aware of a personal-data breach that is likely to affect you, we will notify you and the relevant supervisory authority within the timelines required by law — within 72 hours under the DPDP Act and the GDPR. Notification will include the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking in response.

9.2 Status & communication

For service-impacting incidents, we communicate via in-product banner, email to administrators, and (where applicable) our status page. Post-incident reports are shared with affected customers on request.

10.Vulnerability disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Brainam, please email security@brainam.ai with:

• A description of the issue and its potential impact.
• Steps to reproduce, including any proof-of-concept.
• Your contact details so we can follow up.

10.1 Safe harbour

Good-faith security research conducted under the following guidelines will not result in legal action from Brainam:

• Do not access, modify, or delete Customer Data belonging to anyone other than yourself.
• Do not degrade or disrupt the Services for other customers.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate (typically 90 days).
• Avoid privacy violations, data destruction, and degradation of user experience.

We will acknowledge valid reports within 5 business days and keep you informed of remediation progress.

11.Corporate security

11.1 Personnel

• All employees and contractors sign confidentiality and data-protection agreements before being granted access to systems.
• Background checks (where lawful) are conducted for personnel with access to Customer Data.
• Security and privacy awareness training is delivered at onboarding and refreshed annually.

11.2 Workstation security

• Full-disk encryption is enforced on every device used to access production systems.
• Automatic OS updates and screen-lock policies are enabled.
• Anti-malware solutions run on all corporate devices.
• Password managers are required for shared and individual credentials.

11.3 Offboarding

When a team member leaves Brainam, all system access — including source code, cloud consoles, the secrets vault, and SaaS tools — is revoked within one business day. Company-issued devices are reclaimed and wiped.

12.Contact