brily
Trust

Security, made
specific.

Vendor security pages usually hide behind phrases like 'industry-standard encryption'. This is the specific version. If anything here is unclear or you need a deeper dive, email security@brily.app and we will schedule a call.

Data

Encryption, end to end

  • AES-256-GCM at rest across all customer data
  • TLS 1.2+ in transit with HSTS preload
  • Argon2id for password hashing, per-user salt
  • Encrypted off-site backups with quarterly restore drills
Access

Least privilege, logged

  • Production data access is role-gated and audit-logged
  • MFA enforced on all employee accounts, TOTP or hardware key
  • Break-glass access requires a second approver and posts to an audit channel
  • Customer data is never copied to developer laptops
Testing

Continuous validation

  • Annual third-party penetration test; summary under NDA
  • Continuous automated scanning (dependencies, secrets, SAST)
  • Bug bounty programme with scoped targets and rewards
  • Coordinated vulnerability disclosure with 24h ack SLA
Operations

Production hygiene

  • Every production change goes through review and CI
  • Infrastructure-as-code in git; no console-level drift tolerated
  • Deployed from an auditable, signed supply chain
  • Incident response runbooks, drilled quarterly

Compliance status

We commit to specific, dated targets rather than vague "compliance" claims:

  • GDPR and UK GDPR. In scope from day one. Self-serve DPA, published sub-processors, full data-subject request workflow. See the privacy policy for our controller-of-our-own-data obligations.
  • SOC 2 Type I. Attestation scheduled to complete alongside general availability (Q4 2026).
  • SOC 2 Type II. Observation period starts at GA. Report expected H2 2027.
  • ISO 27001. On the 2027 roadmap, timing driven by enterprise-customer demand.

Reporting a vulnerability

Email security@brily.app. We acknowledge within 24 hours. Include repro steps, impact assessment, and (if relevant) the X-Request-Id header from any requests involved.

  • Do: exploit only against accounts you own or have explicit permission to test.
  • Do: give us reasonable time to fix before public disclosure (usually 90 days, negotiable).
  • Do not: run denial-of-service tests, social-engineer our employees, or access data belonging to other customers.

We do not take legal action against good-faith researchers who follow those rules. We do recognise contributions in our acknowledgements list (opt-in).

Security.txt

/.well-known/security.txt lists our contact details, acknowledgements URL, and preferred language for reports, per RFC 9116.

Sub-processors

The complete, current list lives at /legal/sub-processors. We notify customers 30 days before adding a new one.

Data residency

Primary data stores run in EU regions. Some sub-processors operate globally (Cloudflare CDN, Sentry error tracking); the sub-processor list identifies each. Where transfers occur, we rely on the EU Standard Contractual Clauses.

Questionnaires

If you need to run a security-review questionnaire for procurement, email security@brily.app with the template. We fill out CAIQ Lite, SIG, and custom enterprise questionnaires. Turnaround is typically under five business days.

Talk to our security team.

For procurement calls, SOC 2 report access, or technical deep-dives. We respond within 24 hours.

security@brily.app