- Provider: Supabase - SOC 2 Type II certified
- Location: United States
- What’s Stored: Requirements, tasks, prompts, organization data, user profiles, and integration configurations
- Encryption: All data encrypted at rest using AES-256 encryption
- Backups: Automated daily backups retained for 90 days
- Access: Restricted to authorized BrainGrid services only
- Compliance: Hosted on SOC 2 compliant infrastructure
Account
Security
Security and compliance at BrainGrid
At BrainGrid, we understand that our platform is integral to your software development lifecycle. We’ve built comprehensive security measures to protect your code, requirements, and intellectual property while providing powerful AI-driven development capabilities.
BrainGrid was founded by ex-Twilio engineers experienced in building, operating, and securing large-scale cloud platforms.
All sub-processors are bound by data protection agreements and are prohibited from using your data for their own purposes.
Account Security
Authentication
Authentication
- Passwordless Authentication: BrainGrid exclusively uses secure, passwordless authentication methods
- Cloud Provider Sign-In: Support for Google, GitHub, and Microsoft authentication
- Magic Links: Email-based authentication with time-limited secure links
- Enterprise SSO: BrainGrid supports Single Sign-On through WorkOS, compatible with providers like Okta, Azure AD, and Google Workspace.
Session Management
Session Management
- Maximum Session Length: Sessions last up to 30 days with continued activity
- Inactivity Timeout: Automatic logout after 7 days of inactivity for security
- Access Token Duration: Short-lived 5-minute access tokens minimize exposure risk
- Secure Token Handling: All tokens are cryptographically secure and regularly rotated
Multi-Factor Authentication
Multi-Factor Authentication
- 2FA Support: Time-based One-Time Password (TOTP) support for all accounts
- SSO MFA: Inherits MFA policies from your SSO provider
- Backup Codes: Generate one-time backup codes for account recovery
- Enforcement Options: Organizations can require MFA for all team members
Account Recovery
Account Recovery
- Secure Recovery: Email-based account recovery with time-limited tokens
- Identity Verification: Additional verification steps for sensitive account changes
- Admin Recovery: Organization admins can assist with team member account recovery
- Audit Trail: All recovery attempts are logged.
Infrastructure Security
Data Protection
Data Protection
- Encryption in Transit: All data transmitted between your browser and BrainGrid servers is encrypted using TLS 1.3
- Encryption at Rest: All stored data, including requirements, code analysis results, and agent conversations, is encrypted.
- Secure Key Management: Encryption keys are rotated regularly and stored separately from encrypted data
Access Controls
Access Controls
- Multi-Factor Authentication: All BrainGrid employees are required to use MFA for accessing production systems
- Role-Based Access Control: Strict RBAC policies ensure employees only access systems necessary for their role
- Audit Logging: All access to production systems is logged and regularly reviewed
Infrastructure Hardening
Infrastructure Hardening
- Cloud Security: Our infrastructure runs on Vercel’s secure cloud platform with additional security layers
- Network Isolation: Production systems are isolated from development and staging environments
- Regular Security Updates: All systems receive security patches within 24 hours of release
Compliance & Monitoring
Compliance & Monitoring
- Continuous Monitoring: 24/7 monitoring for security incidents and anomalies
- Incident Response: Engineering team counts on documented incident response procedures
- Regular Security Audits: Annual third-party security assessments and penetration testing
Data Privacy & Intellectual Property
Data Processing
Data Processing
BrainGrid processes different types of data based on your usage:
- Requirements & Tasks: Stored securely to enable AI-powered planning and breakdown
- Code Analysis: Repository code is analyzed temporarily and deleted immediately after analysis completes - we never store your source code long-term
- Agent Conversations: The agent’s conversation history is retained for 30 days to improve context and performance
- Integration Data: GitHub, Slack, and Linear data is processed according to strict access controls
Data Retention
Data Retention
- Active Data: Requirements, tasks, and prompts are retained while your account is active
- Agent Conversations: AI chat conversations are automatically deleted after 30 days.
- Deleted Data: When you delete data, it’s permanently removed from our systems within 30 days
- Backup Retention: Encrypted backups are retained for 90 days for disaster recovery
- Analysis Results: Code analysis results are cached for 7 days to improve performance
Model Training
Model Training
- Opt-in Only: Your data is never used for AI model training without explicit consent
- Anonymization: If you opt-in, data is fully anonymized before any model improvement use
- No Code Training: Your proprietary code is never used for training, regardless of settings
Intellectual Property
Intellectual Property
- Your Output, Your IP: All requirements, tasks, and documentation generated belong to you
- No Claims: BrainGrid makes no intellectual property claims on your generated content
AI Models
AI Models
- Model Usage: We use Anthropic’s Claude and Opus models as well as Google’s Gemini models depending on the task.
- Model Privacy: We do not store any of your data in our models.
Integration Security
GitHub Integration
GitHub Integration
- Minimal Permissions: We request only necessary GitHub permissions for functionality
- Token Security: GitHub tokens are encrypted and never exposed in logs or errors
- Webhook Validation: All GitHub webhooks are validated using secure signatures
- Repository Isolation: Each repository’s data is isolated from others
Slack Integration
Slack Integration
- OAuth 2.0: Secure authentication using Slack’s OAuth 2.0 flow
- Scoped Access: We only access channels and messages you explicitly connect
- Message Privacy: Slack messages are processed temporarily and not stored permanently
- Encrypted Storage: Any stored Slack data is encrypted at rest
Linear Integration
Linear Integration
- API Key Security: Linear API keys are encrypted using per-organization keys
- Sync Controls: You control which Linear teams and projects sync with BrainGrid
- Data Minimization: We only sync necessary fields for requirements and task management
User Best Practices
Code Review
Code Review
- Always Review AI Output: While our AI agents are sophisticated, always review generated requirements and tasks
- Verify Technical Decisions: Ensure AI-suggested implementations align with your architecture
- Test Generated Code: Thoroughly test any code snippets or implementations suggested by AI
Access Management
Access Management
- Use SSO When Available: Enable Single Sign-On through WorkOS for centralized access control
- Regular Access Reviews: Periodically review team member access and permissions
- Remove Inactive Users: Promptly remove access for team members who leave
Secure Credential Handling
Secure Credential Handling
- Never Share Secrets: Don’t include API keys, passwords, or secrets in requirements or prompts
- Use Environment Variables: Reference credentials through environment variables, not directly
- Rotate Integration Keys: Regularly rotate API keys for integrated services
Data Classification
Data Classification
- Avoid Entering Sensitive Data: Avoid entering sensitive data into the requirements or tasks.
- Limit AI Access: For highly sensitive projects, consider limiting AI agent access.
Development Workflow Security
Development Workflow Security
- Use Branch Protection: Enable branch protection rules in GitHub for AI-generated PRs
- Require Reviews: Always require human review for AI-generated code changes
- Limit Repository Access: Only connect repositories that need AI assistance
- Sandbox Testing: Test AI-generated code in isolated environments first
Shared Responsibility Model
Security at BrainGrid follows a shared responsibility model. While we secure the infrastructure and platform, you maintain control over your data and how you use our services.Your Responsibilities
Your Responsibilities
As a BrainGrid customer, you are responsible for:Data & Access Management
- Determining what data to upload and process through BrainGrid
- Managing user access and permissions within your organization
- Reviewing and approving AI-generated requirements and code
- Maintaining the security of your API keys and integration tokens
- Ensuring no sensitive data is included in prompts or requirements
- Protecting your source code and intellectual property
- Validating AI outputs before implementation
- Managing environment variables and secrets
- Configuring secure connections to GitHub, Slack, and Linear
- Setting appropriate permissions for connected repositories
- Managing which channels and teams have access to BrainGrid
- Regularly reviewing and revoking unused integrations
- Assessing whether BrainGrid meets your security requirements
- Implementing proper code review processes
- Training team members on secure AI usage
- Monitoring your organization’s activity logs
Shared Responsibilities
Shared Responsibilities
BrainGrid's Responsibilities
BrainGrid's Responsibilities
BrainGrid is responsible for:Infrastructure Security
- Securing our cloud infrastructure and servers
- Maintaining network security and firewall rules
- Applying security patches and updates promptly
- Protecting against DDoS and other attacks
- Encrypting data in transit and at rest
- Securing our APIs and web applications
- Maintaining secure development practices
- Regular security testing and audits
- Protecting AI models from manipulation
- Ensuring model outputs are safe and appropriate
- Preventing prompt injection attacks
- Maintaining model performance and reliability
- 24/7 monitoring of platform health
- Incident detection and response
- Disaster recovery and backup procedures
- Maintaining compliance certifications
Where Does My Data Live?
Understanding where your data resides is crucial for compliance and security. BrainGrid uses a modern, distributed infrastructure designed for performance, reliability, and security.Primary Data Storage
Primary Data Storage
PostgreSQL Database (Supabase)
Temporary Data & Caching
Temporary Data & Caching
Redis Cache (Upstash)
- Provider: Upstash - SOC 2 Type II certified
- Purpose: Performance optimization and real-time features
- What’s Stored: Conversation history, rate limiting data, temporary session information
- Data Lifetime: Automatically expires based on usage patterns (typically 24-72 hours)
- Security: All cached data is encrypted in transit
- Location: United States
- Compliance: Hosted on SOC 2 compliant infrastructure
Large Content Storage
Large Content Storage
Vercel Blob Storage
- Purpose: Storing large content that doesn’t fit efficiently in databases
- What’s Stored: Prompt markdown files, requirement documentation, generated reports
- Location: Distributed across Vercel’s global edge network
- Access Control: Secure, signed URLs with time-based expiration
- Location: United States
Infrastructure Providers
Infrastructure Providers
Vercel Platform
- Hosting: Application deployed on Vercel’s secure cloud infrastructure
- Geographic Distribution: Global edge network for optimal performance
- Compliance: SOC 2 Type II certified infrastructure
- DDoS Protection: Built-in protection against distributed attacks
- Services Used: Cloud Tasks for asynchronous processing
- Security: Enterprise-grade security infrastructure
- Compliance: SOC 2, ISO 27001, and FedRAMP certified
- Data Processing: Temporary processing with immediate deletion of source data
Data Residency by Region
While BrainGrid’s infrastructure is globally distributed for performance, we understand the importance of data residency for compliance:- United States: Primary data centers located in US regions
- European Union: Data processing compliant with GDPR requirements
- Data Transfers: All international data transfers use appropriate safeguards including Standard Contractual Clauses
Third-Party Sub-processors
BrainGrid uses carefully selected sub-processors to deliver our services:| Service | Purpose | Data Processed |
|---|---|---|
| Anthropic | AI model provider | Requirements, prompts, conversations (not stored by provider) |
| OpenAI | AI model provider | Requirements, prompts, conversations (not stored by provider) |
| WorkOS | Authentication & SSO | User authentication data, organization info |
| Resend | Email delivery | Transactional email content |
| MaxMind | Geolocation | IP addresses for extension tracking |
GDPR Compliance
The EU General Data Protection Regulation (GDPR) governs the use of personal data in the European Union and United Kingdom. At BrainGrid, we are committed to GDPR compliance and protecting the privacy rights of all our users. Our GDPR commitments include:- Implementing appropriate technical and organizational security measures to protect personal data
- Promptly notifying customers of any data breaches that may affect their personal data
- Imposing similar data protection obligations on all our sub-processors and service providers
- Responding to data subject rights requests including access, correction, deletion, and portability
- Using EU Standard Contractual Clauses and UK Addendum for international data transfers
Continuous Improvement
Security at BrainGrid is an ongoing commitment. We continuously:- Update our security practices based on emerging threats
- Enhance our AI models to better understand security implications
- Expand our compliance certifications
- Improve transparency through regular security updates
Security Contact
If you discover a security vulnerability or have security concerns:Email: security [at] our domain name.
Response Time: Within 24 hours for critical issuesWe take all security reports seriously and will work with you to understand and address any concerns.