Settings & themes

The Settings area gathers the cross-cutting configuration that doesn't belong on a per-feature page. This includes branding, theming, billing, retention, authentication, and the so-called "danger zone."

Branding

From Settings → Branding:

Logo — upload a SVG (preferred) or PNG. Renders in the Console sidebar, in your members' app dashboard, and on email notifications.
Wordmark — text rendition of your organization name for places where the logo wouldn't fit.
Favicon — browser tab icon. We auto-generate the various sizes from a single 256×256 source.
Email footer — text and a link block appended to every notification email.

Branding is per-organization. Different organizations on the same account see different branding.

Themes

The theme picker offers light, dark, and system-default. Sovereigns can also define custom themes:

Pick or paste an accent color (the primary action / highlight color).
Pick a secondary color for accents and dividers.
Pick a heading font (a curated list of system + free webfonts).
Pick a body font.
Optionally upload a custom CSS file with overrides for power users.

Custom themes flow through to every Console page and into every installed extension's iframe. Members can override the organization theme with their personal preference under their account settings.

Billing

Settings → Billing contains:

The current plan and tier.
Payment method on file.
Billing email and tax ID.
Active subscriptions (your plan plus any per-extension subscriptions).
Invoice history (downloadable as PDF).
Usage breakdown (the same data that powers the dashboard's spend card).
Spend caps and notification thresholds.
Plan change controls (upgrade, downgrade, cancel).

See Account & subscriptions for the conceptual model behind plans and metering.

Retention policies

Default Vault retention is indefinite. From Settings → Retention you can set:

Per-zone retention — soft-delete after N days, hard-purge after another N days.
Per-record-class retention — apply a different policy to records tagged with specific ontology classes.
Audit log retention — how long to keep audit-trail entries (subject to plan minimums).
Backup retention — how many backup snapshots to keep, with daily / weekly / monthly granularity.

Compliance-tagged organizations get retention forced automatically per the regulatory requirement (e.g., HIPAA forces 7-year minimums on patient-data zones). See Compliance.

Retention changes apply going forward. Records already past their previous retention window aren't retroactively purged.

Authentication

Settings → Authentication holds:

MFA enforcement — require MFA for all members, for Sovereigns and Architects only, or off (not recommended).
Session lifetime — how long sign-in sessions live before re-auth.
Sign-in IP allowlist — restrict sign-ins to specific CIDR ranges. Available on Business and Enterprise.
SSO configuration — see Console: Members.
SCIM — see Console: Members.
Service account policies — token lifetime maximums, rotation requirements.

Quotas

Per-zone, per-extension, and per-integration soft and hard limits. Soft limits fire a warning notification; hard limits return errors to the caller. Useful for cost control and for fairness across teams sharing an organization.

Data residency

Your active region is shown. Region changes require a Vault migration, which is a coordinated process with our support team — not a self-service control. See Data residency.

Custom domains

Business and Enterprise tiers can map your organization to custom domains:

App custom domain — app.your-company.com instead of your-org-slug.brrain.io.
Console custom domain — console.your-company.com.
Marketplace custom domain — for OEMs or resellers running their own branded marketplace.

Setup is via DNS CNAME plus a TLS certificate we issue automatically.

Notifications

A pointer to the dedicated Notifications page.

Audit settings

Choose how long to retain audit-log entries and which event classes to log. By default everything is logged; some compliance regimes require longer retention than the plan default, which is set here.

Danger zone

The bottom of the Settings page contains the actions you'd never reach for accidentally. Each is gated to Sovereigns only and requires re-typing the organization name to confirm:

Rotate master encryption key — re-wraps every record's data encryption key under a fresh master. Members are not affected; expect a brief Vault read-pause during the rotation.
Reset all OAuth tokens — invalidates every integration's OAuth tokens, forcing re-auth.
Export everything — produces the full organization export described in Your data.
Suspend organization — pauses every member's access; useful during a security incident response.
Delete organization — begins the 30-day deletion countdown described in Organizations.

Every danger-zone action fires a notification to all Sovereigns and is the most prominently logged event class in the audit trail.

Where to next

Account & subscriptions — billing concepts.
Compliance — what compliance tagging forces.
Data residency — region options and constraints.