Black Box security & NDA — bRRAIn Docs

Confidentiality, NDA terms, and security posture for Black Box engagements.

Black Box security & NDA

Confidentiality and security are foundational to a Black Box engagement. This page covers NDA structure, confidentiality scope, and the security posture we maintain for engagements.

NDA

Every engagement begins with a mutual NDA covering both parties' confidential information. Standard NDA terms:

  • Term — three years from signing, with confidentiality obligations surviving as long as the information remains confidential.
  • Scope — all non-public technical, commercial, financial, and customer information disclosed during the engagement.
  • Permitted use — only for evaluating, executing, and supporting the engagement.
  • Permitted disclosure — only to parties under similar confidentiality obligations.
  • Carve-outs — information that becomes public through no breach, was independently developed, or is required by law to disclose (with notice).

We can adapt to your standard NDA template if your policies require — we'll typically counter-mark and align to mutual standards.

Confidentiality scope

Under NDA we maintain:

  • Existence confidentiality — we don't disclose the fact of your engagement to other parties without consent.
  • Scope confidentiality — what we're building, what data flows where, how the architecture is structured.
  • Outcome confidentiality — measurement results, ROI, internal assessments.
  • People confidentiality — who's involved, what roles they hold, what they've contributed.

With your written consent, we may publish a redacted case study after general availability. The case study draft is reviewed and approved by you before publication.

Security posture for engagements

Beyond our standard security posture (see Security overview), Black Box engagements layer additional controls:

Personnel

  • All bRRAIn personnel on the engagement undergo background checks appropriate to your sector.
  • For defense, financial-services, and healthcare engagements, additional clearances may apply.
  • Engagement personnel are named and restricted to those individuals.
  • Personnel changes are notified in advance.

Infrastructure

  • Engagement infrastructure can be deployed:
    • In dedicated regions or single-tenant clouds.
    • On-premises in your data center.
    • In hybrid configurations.
    • Air-gapped with controlled-update procedures.
  • Each option has documented threat modeling and operational runbooks.

Data handling

  • Data flows are designed in the brief and reviewed with your security team before any data moves.
  • We never aggregate engagement data with other customers' data.
  • Engagement data does not leave your data residency boundary.
  • Engagement data is encrypted with engagement-specific keys, not shared keys.

Source and deployment

  • The bRRAIn source code is private and remains private. See Source & deployment policy for the policy detail.
  • Engagement-specific code (your custom integrations, custom marketplace extensions) is delivered to you under terms in the SOW (typically owned by you).
  • All deployments come from our infrastructure; no public artifact registries are used.

Audit

  • Comprehensive audit logging on all engagement systems.
  • Logs available to you in real time and stored per your retention policy.
  • Independent auditor access is supported under contract.
  • Annual joint pen-tests by a third party.

Incident response

  • Engagement-specific incident-response runbook signed at SOW.
  • Notification within 24 hours of detected incident affecting your data.
  • Joint incident-management process during active incidents.
  • Post-incident review with corrective-action commitments.

Vendor management

  • Subprocessors used in your engagement are explicitly disclosed and require your approval.
  • Subprocessor changes during the engagement require your approval.
  • Annual subprocessor review as part of the steady-state engagement.

Compliance posture

Engagement compliance posture follows your sector:

  • Healthcare — HIPAA, HITRUST, sector-specific.
  • Financial services — SOC 2, ISO 27001, sector-specific (FINRA, PCI DSS, NYDFS, etc.).
  • Government — FedRAMP (where in scope), NIST 800-171, ITAR, CMMC, sector-specific.
  • EU — GDPR strict, EU AI Act, sector-specific.
  • Sovereign-cloud — local regulatory frameworks per jurisdiction.

We provide compliance documentation at the depth and form your auditors require.

Right to audit

You retain the right to audit:

  • bRRAIn personnel involved in the engagement.
  • bRRAIn infrastructure used in the engagement.
  • Subprocessors supporting the engagement.
  • Compliance evidence.

Audits are scheduled with reasonable notice; emergency audit rights apply on confirmed incident or material breach indication.

Termination and data return

On engagement termination:

  • All your data returned in agreed format within 30 days.
  • All your data deleted from our systems within 90 days, with cryptographic certificate of deletion.
  • All your custom-built artifacts (integrations, extensions) handed off per SOW.
  • Engagement personnel sign post-engagement confidentiality affirmation.

Where to next