Security Policy

Last updated: 10/8/2025

Overview

Brain Garden is committed to protecting the confidentiality, integrity, and availability of our systems and your data. This Security Policy outlines key controls and practices we use to safeguard the Services.

Infrastructure and Data

  • Services are hosted on reputable cloud providers with strong security programs.
  • Data is encrypted in transit using TLS and encrypted at rest where supported.
  • Production access is limited to authorized personnel following least‑privilege.
  • Backups and disaster recovery procedures are maintained for critical systems.

Application Security

  • Authentication is provided by trusted identity providers; MFA is supported where applicable.
  • Secrets and API keys are stored securely using environment controls or a secrets manager.
  • We follow secure coding practices, code review, and dependency management.
  • Rate limiting and abuse detection help protect against automated misuse.

BYOK and Provider Integrations

When you connect third‑party provider API keys, we store them securely (e.g., encrypted) or as short‑lived tokens where possible. Requests are proxied to providers on your behalf. You can revoke keys at any time in your account settings. You are responsible for permissions and costs associated with your provider accounts.

Data Handling and Retention

We collect and retain data necessary to provide the Services and comply with law. We strive to minimize retention of sensitive content and logs. You may request deletion of your account; some data may be retained for legal, security, or operational reasons.

Vulnerability Reporting

We welcome reports of suspected vulnerabilities. Please contact [email protected] with details and steps to reproduce. Do not publicly disclose without coordinated remediation. We prohibit testing that could harm users or data (e.g., DDoS, social engineering, or accessing data you do not own).

Incident Response

We maintain processes to detect, investigate, and respond to security incidents. If your data is impacted, we will notify you as required by law and applicable agreements.

Changes

We may update this Security Policy from time to time. Material updates will be announced, and continued use of the Services constitutes acceptance of the current policy.