Legal · Security

Security posture

Last updated April 19, 2026

Overview

Security is foundational to Brahmalabs, not an afterthought. This page describes the technical and organisational measures we implement to protect your data, workflows, and agent operations.

Infrastructure

  • Hosting. Production runs on EU-based infrastructure with full-disk encryption.
  • Network. External traffic is proxied through Cloudflare with DDoS protection and WAF rules.
  • TLS. All connections use TLS 1.3. HSTS is enforced with preload. Certificate transparency is monitored.

Data encryption

  • In transit. TLS 1.3 for all API, dashboard, and inter-service communication.
  • At rest. The secrets vault uses AES-256-GCM encryption. Database volumes use full-disk encryption.
  • Key management. Encryption keys are stored separately from encrypted data, rotated on schedule, and never logged.

Customer data segregation

Every customer organisation's workflows, agent configurations, credentials, execution logs, and audit records live in a dedicated, logically-bounded space. Cross-tenant access is structurally impossible at the data layer — not merely prevented by application logic.

  • Dedicated data partition per organisation
  • Enforcement at the database layer, not just in application code
  • Connection-scoped query boundaries on every request
  • Per-tenant workflow execution queues

Authentication and access

  • Single sign-on via your existing identity provider — SAML 2.0, OAuth, Google Workspace, Microsoft
  • Fine-grained role-based access control, enforced server-side
  • API keys with scoped permissions
  • Short-lived session tokens with secure cookie settings

Agent runtime

  • Agents execute in isolated containers with configurable resource limits
  • Tool and MCP allow-listing at workspace, workflow, and individual-agent level
  • Credentials injected at runtime as scoped, short-lived references
  • Guardrails for PII detection and content filtering
  • Configurable spend ceilings per workflow

Audit and compliance

  • Append-only, tamper-evident audit log for every security-relevant event
  • Recorded categories: auth.*, config.*, run.*, hitl.*, integration.*, key.*, tenant.*, guardrail.*
  • Exportable records for compliance reporting
  • SOC 2 Type II certification in progress

Vulnerability reporting

If you discover a security vulnerability, please report it responsibly to security@brahmalabs.io. We commit to:

  • Acknowledging your report within 24 hours
  • Providing a remediation timeline within 72 hours
  • Crediting you, if you wish, once the issue is resolved

Please do not disclose vulnerabilities publicly before we have had the opportunity to address them.

Contact

For security enquiries: security@brahmalabs.io