Security is foundational to Brazen.AI. This page summarizes the organizational and technical controls we apply to protect customer data and the integrity of the Service. For implementation specifics beyond what is published here, see our DPA, our SOC 2 report (under NDA), and our security questionnaire response.
Our security program
Our security program is owned at the executive level and reviewed regularly. It includes documented policies for information security, access management, incident response, vendor management, change management, and acceptable use. All employees and contractors complete security awareness training on hire and at least annually, and complete role-specific training (for example, secure coding for engineers).
Infrastructure
Brazen.AI runs on Google Cloud Platform in us-west1, with data centers operated to ISO 27001, SOC 2, and equivalent independent certifications. We use isolated production environments, infrastructure-as-code, and least-privilege service accounts.
Encryption
- In transit: all customer-facing traffic uses TLS 1.2 or later with modern cipher suites. HTTP Strict Transport Security is enabled.
- At rest: customer data is encrypted at rest using AES-256 keys managed by our cloud provider's key management service. Backups are encrypted using the same standards.
- In application: sensitive secrets are stored in a managed secrets vault and rotated regularly.
Access controls
Production access is restricted to a small set of named engineers and follows the principle of least privilege. Access requires single sign-on, hardware-backed multi-factor authentication, and time-bound elevation for sensitive operations. All production access is logged and reviewed quarterly.
Monitoring & incident response
We continuously monitor the Service for security events, anomalous behavior, and integrity violations. We maintain an incident response plan that defines roles, severity levels, communication paths, and post-incident review. We will notify affected customers without undue delay and within 72 hours of confirming a personal data breach that affects them, consistent with GDPR Article 33 and applicable US state breach notification laws.
Backups & disaster recovery
Customer data is backed up on a daily cadence with a recovery point objective (RPO) of 24 hours and a recovery time objective (RTO) of 8 hours. We test restoration from backup at least annually.
Compliance
We are working toward SOC 2 Type II — see our annual audit window. On request, we provide our latest SOC 2 report under NDA. We are not currently HIPAA-covered and do not accept Protected Health Information without a signed Business Associate Agreement (typically not in scope for our customers).
Vulnerability disclosure
We welcome reports of security vulnerabilities from the research community. Email security@brazen.ai with a clear description of the issue, steps to reproduce, and any proof-of-concept artifacts. We commit to acknowledging reports within 3 business days and keeping researchers informed of our triage. Please do not perform testing that would degrade Service for customers, exfiltrate customer data, or violate applicable law.
Contact
Security: security@brazen.ai
For DPA, sub-processor list, and customer-side controls, see DPA, Subprocessors, and Privacy Policy.