01 // POSTURE
Security overview
TLS 1.2+ everywhere, AES-GCM column encryption for PHI/PII, signed Stripe webhooks, hardware-key MFA for engineering access.
READ →00_TRUST // CONSOLIDATED_HUB
HOW WE EARN
YOUR TRUST.
Security, privacy, compliance, subprocessors, and incident response — every public document we maintain, in one index. We document what we actually run, including the gaps. No cert theatre.
UPDATED CONTINUOUSLY // CHANGELOG AT /CHANGELOG // VULN REPORTS WELCOME
02 // VENDORS
Sub-processors
Every third-party that touches customer data, with BAA and DPA status per vendor. Updated within 30 days of any change.
READ →03 // PRIVACY
Privacy policy
What we collect, why we collect it, how long we keep it, and how to delete it. GDPR and CCPA aware. No dark patterns.
READ →04 // CHOICE
Cookie preferences
Honors Global Privacy Control (GPC). Granular consent, no pre-ticked boxes, and a real reject-all that actually rejects.
MANAGE →05 // COMPLIANCE
Compliance scorecards
Per-product compliance pages — HIPAA-aware products document PHI handling, BAA execution, and data-flow boundaries.
READ →06 // STATUS
Incident response & status
Live health endpoint and the IR runbook (sev classification, comms template, evidence preservation, customer-notification timing).
STATUS →07_PRINCIPLES // ENGINEERING_DEFAULTS
HOW WE BUILD.
- ENCRYPTED-AT-REST
- Every PHI/PII column wrapped in AES-GCM with per-record keys. LUKS at the volume layer. Backups encrypted before they leave the host.
- SIGNED-WEBHOOKS
- Every Stripe and inbound webhook verified by HMAC with a per-endpoint secret and 5-minute replay tolerance. No unsigned request reaches business logic.
- LEAST-PRIVILEGE
- Public endpoints never run with database superuser credentials. Workspace data is gated by row-level checks. Admin actions require MFA.
- OBSERVABLE-BY-DEFAULT
- Every state transition writes to an append-only audit log. Every external call carries a correlation id. /healthz tells you the truth.
- NO-CERT-THEATRE
- We don't claim certifications we haven't earned. We document what we actually run, including the gaps. Read /security for the full posture.
- RESPECT-THE-USER
- Honors prefers-reduced-motion, Global Privacy Control, and the right to delete. No dark patterns, no growth hacks at the user's expense.
REPORT A VULN // SECURITY@BRAINIACSTECHSOLUTIONS.COM