How we protect customer data, manage access, and respond to incidents. Plain-English, not aspirational.
Last updated: May 10, 2026
All customer data is stored in PostgreSQL on Supabase in the us-east-1 region. Data at rest is encrypted with AES-256. Data in transit is encrypted with TLS 1.2 or higher. Database backups are encrypted and retained for 7 days on the standard tier.
API keys for external services (Stripe, Resend, Vercel AI Gateway, OAuth providers) are stored as environment variables on Vercel and never exposed to client-side code. Supabase service-role keys are scoped to server-side usage only.
Every customer-facing table has Row Level Security (RLS)policies enforced at the database layer. A query for org A's data, even if the application code has a bug, cannot return org B's rows - PostgreSQL refuses the query before it executes.
The same RLS layer governs read and write paths for users, organizations, members, invitations, API keys, usage logs, brain registry, circuit subscriptions, run history, email logs, and admin actions. Policies are defined in the migration files committed to the repository and reviewed on every change.
We use Supabase Auth with the following supported flows: email + password (passwords hashed with bcrypt), Google OAuth, magic-link recovery, and email verification. Sessions are JWT-based with automatic refresh; tokens are short-lived and rotate transparently.
API keys for programmatic access are SHA-256 hashed at rest - we cannot recover a key once issued, only revoke and re-issue.
We never store payment card data. All credit-card processing is handled by Stripe, who is PCI-DSS Level 1 certified. Brainboot stores only the Stripe customer ID and subscription ID for reference. Invoices and payment history are accessible through the Stripe customer portal linked from your dashboard.
When you run a brain, the prompt and your conversation history are sent to the LLM provider you selected (OpenAI, Anthropic, Google, xAI, DeepSeek, or Mistral) through Vercel AI Gateway. We do not retain prompts or completions on our servers beyond what's required to display your conversation history (stored in your Supabase tenant).
Each provider has its own data-retention policy. Anthropic and OpenAI both offer enterprise terms that opt your traffic out of training data; if your organization requires those, contact us before subscribing.
Brainboot staff access to customer data is limited to a small number of administrators identified by an is_adminflag on the user record. Admin operations (changing a customer's plan, resetting usage, granting credits, deactivating an account, impersonating a user for support) are logged to an immutable admin_actions audit table that records the admin id, action type, target, timestamp, and any structured context.
The admin panel is gated by both authentication and a separate role check at the API layer. Failing either returns 403 before any data is read.
All inbound webhooks (currently Stripe) are signature-verified before processing. Each event id is stored in a processed_events table; replays are detected and acknowledged without re-running side effects. Failures are written to a webhook_failures log for review.
API routes are rate-limited per user (when authenticated) or per IP (when anonymous). Production deployments use Upstash Redis for distributed enforcement across all serverless instances. Rate-limit headers are returned on every response.
Errors are forwarded to Sentry for triage. We monitor signup, webhook, and billing paths continuously. If we detect an incident affecting customer data, we will notify affected customers by email within 72 hours of confirmation, with a summary of impact, root cause, and remediation.
You can export all data tied to your organization by emailing support@brainboot.dev. We will provide a JSON export within 14 days at no cost. Account deletion is also available on request: we will delete your user record, organization, members, brain history, and conversation logs within 30 days. Stripe customer/billing records are retained per Stripe's policy and our tax obligations.
Brainboot is a small company in early launch. We are not yet SOC 2 / ISO 27001 / HIPAA / PCI-DSS certified. We are building toward SOC 2 Type I as the first compliance milestone. If your organization needs a formal attestation before signing, contact us and we will scope a path forward together.
For now: GDPR data subject rights (access, deletion, portability) are honored via the export/deletion process above. CCPA right-to-know and right-to-delete are honored the same way.
A complete list of subprocessors who may process customer data is maintained at /subprocessors. The list is updated whenever the set changes; you can subscribe to that page's feed for change notifications.
Found something concerning? Email security@brainboot.dev with reproduction steps. We respond within 2 business days. We do not run a paid bounty program yet but credit responsible disclosure publicly (with your permission) on the changelog.
Three resources for vendor security reviews and contract execution: