Security Overview — bRRAIn Docs

bRRAIn's zero-trust security model, encryption layers, compliance certifications, and security practices.

Security Overview

Security is foundational to bRRAIn's architecture, not an afterthought. The platform implements a zero-trust security model where every request, every inter-zone communication, and every data access is authenticated, authorized, and audited. This document provides an overview of the security controls that protect your data.

Zero-Trust Architecture

bRRAIn follows the principle of "never trust, always verify." No component in the system implicitly trusts another, regardless of network location. Every interaction requires:

  1. Identity verification: The requesting entity must prove its identity through cryptographic credentials
  2. Authorization check: The Security Zone verifies that the authenticated identity has permission to perform the requested operation
  3. Context validation: The request must come from an expected context (correct workspace, valid IP range, appropriate time window)

This model applies equally to external API requests and internal zone-to-zone communication. A compromised component cannot escalate privileges or access data outside its authorized scope.

Encryption

Data at Rest

All stored data is encrypted using AES-256-GCM with per-vault Data Encryption Keys (DEKs). The envelope encryption model ensures that encryption keys are never stored alongside the data they protect.

  • Memory objects: Encrypted individually with unique initialization vectors
  • Metadata indexes: Encrypted with a separate index key to enable search without exposing content
  • Embeddings: Encrypted before storage in the vector database
  • Backups: Encrypted with a backup-specific key before transfer to cold storage

Data in Transit

All network communication uses TLS 1.3. Internal zone-to-zone traffic uses mutual TLS (mTLS) with certificates rotated every 24 hours. Certificate pinning prevents man-in-the-middle attacks even if a certificate authority is compromised.

Key Management

Encryption keys are managed through hardware security modules (HSMs) certified to FIPS 140-2 Level 3. Platform-managed keys are rotated automatically every 90 days. Enterprise customers can use their own key management infrastructure (AWS KMS, Google Cloud KMS, Azure Key Vault, or HashiCorp Vault) for full control over key lifecycle.

See Vaults for details on the encryption model and key management options.

Access Control

Authentication

bRRAIn supports multiple authentication methods to accommodate different integration patterns:

  • API keys for server-to-server integrations
  • OAuth 2.0 with PKCE for user-facing applications
  • SAML 2.0 for enterprise single sign-on
  • Multi-factor authentication (TOTP and WebAuthn) for dashboard access

See Authentication for implementation details.

Authorization

Role-based access control (RBAC) governs what authenticated users can do. Permissions are scoped at multiple levels:

  • Organization level: Billing, user management, vault creation
  • Vault level: Key management, workspace creation, audit configuration
  • Workspace level: Memory operations, member management, settings

Custom roles allow fine-grained permission sets beyond the built-in Owner, Admin, Editor, and Viewer roles.

Audit Logging

Every data access and administrative action generates an immutable audit log entry containing:

  • Who: The authenticated identity (user, API key, or service account)
  • What: The operation performed (store, retrieve, delete, configure)
  • When: Timestamp with microsecond precision
  • Where: The vault, workspace, and resource affected
  • How: The API endpoint, request ID, and source IP address

Audit logs are retained for a minimum of 7 years on enterprise plans. They can be streamed in real-time to external SIEM systems (Splunk, Datadog, Elastic) via webhook or syslog integration.

Network Security

  • DDoS protection: All public endpoints are fronted by Cloudflare with automatic DDoS mitigation
  • IP allowlisting: Restrict vault access to specific IP ranges or CIDR blocks
  • Private networking: Enterprise customers can connect via AWS PrivateLink, GCP Private Service Connect, or Azure Private Link
  • WAF rules: Web application firewall rules protect against OWASP Top 10 vulnerabilities

Compliance

bRRAIn maintains the following compliance certifications:

| Certification | Status | Scope | |---------------|--------|-------| | SOC 2 Type II | Current | All cloud infrastructure and operations | | ISO 27001 | Current | Information security management system | | GDPR | Compliant | EU data processing and residency | | HIPAA | Available | Healthcare data on enterprise plans with BAA | | CCPA | Compliant | California consumer data privacy | | FedRAMP | In Progress | US federal government workloads |

Data Residency

bRRAIn Cloud offers data residency in multiple regions:

  • US: us-east-1 (Virginia), us-west-2 (Oregon)
  • EU: eu-west-1 (Ireland), eu-central-1 (Frankfurt)
  • APAC: ap-southeast-1 (Singapore), ap-northeast-1 (Tokyo)

Data never leaves the configured region, including backups, logs, and processing artifacts.

Vulnerability Management

  • Penetration testing: Conducted quarterly by independent security firms
  • Bug bounty program: Responsible disclosure program at security.brrain.io
  • Dependency scanning: Automated scanning of all dependencies on every build
  • Incident response: Documented IRP with 1-hour response SLA for critical vulnerabilities

Next Steps

  • Vaults — Encryption boundaries and key management
  • Authentication — API key and OAuth setup
  • Self-Hosting — Security considerations for on-premises deployments