Skip to main content
At BrainGrid, we understand that our platform is integral to your software development lifecycle. We’ve built comprehensive security measures to protect your code, requirements, and intellectual property while providing powerful AI-driven development capabilities. BrainGrid was founded by ex-Twilio engineers experienced in building, operating, and securing large-scale cloud platforms.

Account Security

  • Passwordless Authentication: BrainGrid exclusively uses secure, passwordless authentication methods
  • Cloud Provider Sign-In: Support for Google, GitHub, and Microsoft authentication
  • Magic Links: Email-based authentication with time-limited secure links
  • Enterprise SSO: BrainGrid supports Single Sign-On through WorkOS, compatible with providers like Okta, Azure AD, and Google Workspace.
  • Maximum Session Length: Sessions last up to 30 days with continued activity
  • Inactivity Timeout: Automatic logout after 7 days of inactivity for security
  • Access Token Duration: Short-lived 5-minute access tokens minimize exposure risk
  • Secure Token Handling: All tokens are cryptographically secure and regularly rotated
  • 2FA Support: Time-based One-Time Password (TOTP) support for all accounts
  • SSO MFA: Inherits MFA policies from your SSO provider
  • Backup Codes: Generate one-time backup codes for account recovery
  • Enforcement Options: Organizations can require MFA for all team members
  • Secure Recovery: Email-based account recovery with time-limited tokens
  • Identity Verification: Additional verification steps for sensitive account changes
  • Admin Recovery: Organization admins can assist with team member account recovery
  • Audit Trail: All recovery attempts are logged.

Infrastructure Security

  • Encryption in Transit: All data transmitted between your browser and BrainGrid servers is encrypted using TLS 1.3
  • Encryption at Rest: All stored data, including requirements, code analysis results, and agent conversations, is encrypted.
  • Secure Key Management: Encryption keys are rotated regularly and stored separately from encrypted data
  • Multi-Factor Authentication: All BrainGrid employees are required to use MFA for accessing production systems
  • Role-Based Access Control: Strict RBAC policies ensure employees only access systems necessary for their role
  • Audit Logging: All access to production systems is logged and regularly reviewed
  • Cloud Security: Our infrastructure runs on Vercel’s secure cloud platform with additional security layers
  • Network Isolation: Production systems are isolated from development and staging environments
  • Regular Security Updates: All systems receive security patches within 24 hours of release
  • Continuous Monitoring: 24/7 monitoring for security incidents and anomalies
  • Incident Response: Engineering team counts on documented incident response procedures
  • Regular Security Audits: Annual third-party security assessments and penetration testing

Data Privacy & Intellectual Property

BrainGrid processes different types of data based on your usage:
  • Requirements & Tasks: Stored securely to enable AI-powered planning and breakdown
  • Code Analysis: Repository code is analyzed temporarily and deleted immediately after analysis completes - we never store your source code long-term
  • Agent Conversations: The agent’s conversation history is retained for 30 days to improve context and performance
  • Integration Data: GitHub, Slack, and Linear data is processed according to strict access controls
  • Active Data: Requirements, tasks, and prompts are retained while your account is active
  • Agent Conversations: AI chat conversations are automatically deleted after 30 days.
  • Deleted Data: When you delete data, it’s permanently removed from our systems within 30 days
  • Backup Retention: Encrypted backups are retained for 90 days for disaster recovery
  • Analysis Results: Code analysis results are cached for 7 days to improve performance
  • Opt-in Only: Your data is never used for AI model training without explicit consent
  • Anonymization: If you opt-in, data is fully anonymized before any model improvement use
  • No Code Training: Your proprietary code is never used for training, regardless of settings
  • Your Output, Your IP: All requirements, tasks, and documentation generated belong to you
  • No Claims: BrainGrid makes no intellectual property claims on your generated content
  • Model Usage: We use Anthropic’s Claude and Opus models as well as Google’s Gemini models depending on the task.
  • Model Privacy: We do not store any of your data in our models.

Integration Security

  • Minimal Permissions: We request only necessary GitHub permissions for functionality
  • Token Security: GitHub tokens are encrypted and never exposed in logs or errors
  • Webhook Validation: All GitHub webhooks are validated using secure signatures
  • Repository Isolation: Each repository’s data is isolated from others
  • OAuth 2.0: Secure authentication using Slack’s OAuth 2.0 flow
  • Scoped Access: We only access channels and messages you explicitly connect
  • Message Privacy: Slack messages are processed temporarily and not stored permanently
  • Encrypted Storage: Any stored Slack data is encrypted at rest
  • API Key Security: Linear API keys are encrypted using per-organization keys
  • Sync Controls: You control which Linear teams and projects sync with BrainGrid
  • Data Minimization: We only sync necessary fields for requirements and task management

User Best Practices

  • Always Review AI Output: While our AI agents are sophisticated, always review generated requirements and tasks
  • Verify Technical Decisions: Ensure AI-suggested implementations align with your architecture
  • Test Generated Code: Thoroughly test any code snippets or implementations suggested by AI
  • Use SSO When Available: Enable Single Sign-On through WorkOS for centralized access control
  • Regular Access Reviews: Periodically review team member access and permissions
  • Remove Inactive Users: Promptly remove access for team members who leave
  • Never Share Secrets: Don’t include API keys, passwords, or secrets in requirements or prompts
  • Use Environment Variables: Reference credentials through environment variables, not directly
  • Rotate Integration Keys: Regularly rotate API keys for integrated services
  • Avoid Entering Sensitive Data: Avoid entering sensitive data into the requirements or tasks.
  • Limit AI Access: For highly sensitive projects, consider limiting AI agent access.
  • Use Branch Protection: Enable branch protection rules in GitHub for AI-generated PRs
  • Require Reviews: Always require human review for AI-generated code changes
  • Limit Repository Access: Only connect repositories that need AI assistance
  • Sandbox Testing: Test AI-generated code in isolated environments first

Shared Responsibility Model

Security at BrainGrid follows a shared responsibility model. While we secure the infrastructure and platform, you maintain control over your data and how you use our services.
As a BrainGrid customer, you are responsible for:Data & Access Management
  • Determining what data to upload and process through BrainGrid
  • Managing user access and permissions within your organization
  • Reviewing and approving AI-generated requirements and code
  • Maintaining the security of your API keys and integration tokens
Content Security
  • Ensuring no sensitive data is included in prompts or requirements
  • Protecting your source code and intellectual property
  • Validating AI outputs before implementation
  • Managing environment variables and secrets
Integration Management
  • Configuring secure connections to GitHub, Slack, and Linear
  • Setting appropriate permissions for connected repositories
  • Managing which channels and teams have access to BrainGrid
  • Regularly reviewing and revoking unused integrations
Compliance & Best Practices
  • Assessing whether BrainGrid meets your security requirements
  • Implementing proper code review processes
  • Training team members on secure AI usage
  • Monitoring your organization’s activity logs
We work together with you on:Authentication & Access Control
  • BrainGrid provides SSO and MFA capabilities; you configure and enforce them
  • We secure the authentication infrastructure; you manage user policies
Data Privacy
  • BrainGrid encrypts data; you control what data is processed
Audit & Monitoring
  • BrainGrid logs platform events.
Incident Response
  • BrainGrid responds to platform incidents.
  • We notify you of breaches.
BrainGrid is responsible for:Infrastructure Security
  • Securing our cloud infrastructure and servers
  • Maintaining network security and firewall rules
  • Applying security patches and updates promptly
  • Protecting against DDoS and other attacks
Platform Security
  • Encrypting data in transit and at rest
  • Securing our APIs and web applications
  • Maintaining secure development practices
  • Regular security testing and audits
AI Model Security
  • Protecting AI models from manipulation
  • Ensuring model outputs are safe and appropriate
  • Preventing prompt injection attacks
  • Maintaining model performance and reliability
Operational Security
  • 24/7 monitoring of platform health
  • Incident detection and response
  • Disaster recovery and backup procedures
  • Maintaining compliance certifications

Where Does My Data Live?

Understanding where your data resides is crucial for compliance and security. BrainGrid uses a modern, distributed infrastructure designed for performance, reliability, and security.
PostgreSQL Database (Supabase)
  • Provider: Supabase - SOC 2 Type II certified
  • Location: United States
  • What’s Stored: Requirements, tasks, prompts, organization data, user profiles, and integration configurations
  • Encryption: All data encrypted at rest using AES-256 encryption
  • Backups: Automated daily backups retained for 90 days
  • Access: Restricted to authorized BrainGrid services only
  • Compliance: Hosted on SOC 2 compliant infrastructure
Redis Cache (Upstash)
  • Provider: Upstash - SOC 2 Type II certified
  • Purpose: Performance optimization and real-time features
  • What’s Stored: Conversation history, rate limiting data, temporary session information
  • Data Lifetime: Automatically expires based on usage patterns (typically 24-72 hours)
  • Security: All cached data is encrypted in transit
  • Location: United States
  • Compliance: Hosted on SOC 2 compliant infrastructure
Vercel Blob Storage
  • Purpose: Storing large content that doesn’t fit efficiently in databases
  • What’s Stored: Prompt markdown files, requirement documentation, generated reports
  • Location: Distributed across Vercel’s global edge network
  • Access Control: Secure, signed URLs with time-based expiration
  • Location: United States
Vercel Platform
  • Hosting: Application deployed on Vercel’s secure cloud infrastructure
  • Geographic Distribution: Global edge network for optimal performance
  • Compliance: SOC 2 Type II certified infrastructure
  • DDoS Protection: Built-in protection against distributed attacks
Google Cloud Platform
  • Services Used: Cloud Tasks for asynchronous processing
  • Security: Enterprise-grade security infrastructure
  • Compliance: SOC 2, ISO 27001, and FedRAMP certified
  • Data Processing: Temporary processing with immediate deletion of source data

Data Residency by Region

While BrainGrid’s infrastructure is globally distributed for performance, we understand the importance of data residency for compliance:
  • United States: Primary data centers located in US regions
  • European Union: Data processing compliant with GDPR requirements
  • Data Transfers: All international data transfers use appropriate safeguards including Standard Contractual Clauses

Third-Party Sub-processors

BrainGrid uses carefully selected sub-processors to deliver our services:
ServicePurposeData Processed
AnthropicAI model providerRequirements, prompts, conversations (not stored by provider)
OpenAIAI model providerRequirements, prompts, conversations (not stored by provider)
WorkOSAuthentication & SSOUser authentication data, organization info
ResendEmail deliveryTransactional email content
MaxMindGeolocationIP addresses for extension tracking
All sub-processors are bound by data protection agreements and are prohibited from using your data for their own purposes.

GDPR Compliance

The EU General Data Protection Regulation (GDPR) governs the use of personal data in the European Union and United Kingdom. At BrainGrid, we are committed to GDPR compliance and protecting the privacy rights of all our users. Our GDPR commitments include:
  • Implementing appropriate technical and organizational security measures to protect personal data
  • Promptly notifying customers of any data breaches that may affect their personal data
  • Imposing similar data protection obligations on all our sub-processors and service providers
  • Responding to data subject rights requests including access, correction, deletion, and portability
  • Using EU Standard Contractual Clauses and UK Addendum for international data transfers
For more information about how we handle your data, please refer to our Privacy Policy and Data Processing Addendum.

Continuous Improvement

Security at BrainGrid is an ongoing commitment. We continuously:
  • Update our security practices based on emerging threats
  • Enhance our AI models to better understand security implications
  • Expand our compliance certifications
  • Improve transparency through regular security updates
Your trust is paramount to us, and we’re committed to maintaining the highest security standards as we help accelerate your development workflow.

Security Contact

If you discover a security vulnerability or have security concerns:

Email: security [at] our domain name. Response Time: Within 24 hours for critical issuesWe take all security reports seriously and will work with you to understand and address any concerns.
I