Trust & Security

Security and trust, engineered in from day one

The systems we build run in regulated, high-stakes environments — so security, privacy and compliance aren't a checklist at the end. They're designed into the architecture, enforced in code, and evidenced by default.

Talk to our security team View certifications

Encryption everywhere Least-privilege access Audit-ready by default

Security posture

Data encryption

TLS 1.2+ in transit · AES-256 at rest

Active

Access control & SSO

SAML/OIDC · MFA · least privilege

Active

Continuous monitoring

24/7 detection & incident response

Active

Audit & logging

Immutable logs · full lineage

Active

Certifications & compliance

Mapped to the standards your auditors answer to

We align engagements to the frameworks our clients are held to — with the controls, evidence and audit trails to back them up.

Placeholder compliance claims — for review. The certifications, statuses and standards below are illustrative. Confirm exactly which we currently hold (and their audit dates) with security & legal before publishing. Do not assert certifications we do not actually hold.

Audited annually

SOC 2 Type II

Security · Availability · Confidentiality

Independent attestation of controls operating effectively over time, with continuous evidence collection.

Certified

ISO/IEC 27001

Information security management

A documented ISMS with risk treatment, policy and continual improvement mapped to ISO 27001 controls.

Compliant

GDPR

EU data protection

Data residency, lawful basis, consent and right-to-erasure designed into how we handle personal data.

Aligned

HIPAA

Protected health information

PHI handling, de-identification and access audit for healthcare workloads, with BAAs available on request.

In progress

PCI DSS

Cardholder data environments

Tokenization and segmented architectures for payment workloads — scope and attestation engagement-dependent.

Compliant

CCPA / CPRA

California privacy

Consumer rights, opt-out and disclosure handling for California residents built into our data processes.

Security practices

How we keep systems — and your data — safe

The same engineering discipline we apply to building platforms governs how we secure and operate them.

Encryption

Data encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys managed in a dedicated KMS with rotation and strict access policies.

TLS 1.2+AES-256KMS

Access control & SSO

Single sign-on via SAML/OIDC, enforced MFA and role-based, least-privilege access. Every grant is reviewed and time-bound.

SSOMFARBAC

Secure SDLC

Security woven into delivery: code review, SAST/DAST, dependency scanning and signed builds gate every release.

SAST/DASTCode reviewSigned builds

Vulnerability management

Continuous scanning, prioritized remediation SLAs and routine third-party penetration tests with tracked findings.

ScanningPen testingPatch SLAs

Monitoring & incident response

Centralized logging, anomaly detection and a documented incident response plan with defined severities and on-call rotations.

SIEM24/7Runbooks

Business continuity & DR

Automated backups, tested restore procedures and multi-region resilience targets so critical systems recover fast.

BackupsRPO/RTOMulti-region

Data handling & privacy

Clear about what we collect and why

How we process, store and protect data is documented in plain language. The full terms live in our policies.

Privacy Policy

What personal data we collect, the lawful basis for processing it, how long we keep it, and the rights you can exercise over it.

Read the Privacy Policy

Cookie Policy

The cookies and similar technologies we use, what each category does, and how to manage your consent at any time.

Read the Cookie Policy

Subprocessors & data residency

Where your data lives, and who touches it

We keep a current list of the subprocessors we rely on and the regions data is processed in. Hosting region can be scoped per engagement.

Placeholder data — for review. The subprocessors, purposes and regions below are illustrative examples. Replace with the real, maintained subprocessor list and confirm data-residency commitments with security & legal.

Subprocessor	Purpose	Data region	Type
Cloud Platform APrimary infrastructure & compute	Application hosting, storage and managed databases	US · UK	Infrastructure
Cloud Platform BSecondary / DR region	Disaster recovery and regional failover	UAE · India	Infrastructure
Observability VendorLogging & monitoring	Application metrics, logs and alerting	US	Monitoring
Email & Comms ProviderTransactional messaging	System notifications and account email	UK	Communications
Support PlatformCustomer support	Ticketing and support correspondence	US · India	Operations

Responsible disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers and treat them seriously. Report a suspected vulnerability in good faith and we'll work with you to verify and resolve it — and we won't pursue action against researchers who follow this policy.

Report to security@braindoos.com

Report privately

Email security@braindoos.com with steps to reproduce, impact and any proof-of-concept. Please don't disclose publicly before we've responded.

We acknowledge & triage

We aim to acknowledge within two business days, validate the report and assign a severity and owner.

Fix & coordinate

We remediate, keep you updated on progress, and coordinate timing on any public acknowledgement of your finding.

Due diligence

Need our security documentation?

Request our security overview, latest reports, a completed questionnaire, or a mutual NDA. Our team will route you to the right materials for your review.

Request documentation Email security

NDA on request Reports under review Response within 2 business days