We document our security posture against the frameworks our enterprise customers ask about. Status reflects current audit state — not a future-state aspiration.
Hosted on managed Postgres with encryption at rest and in transit. EU-aligned region available on request for GDPR Article 44 use cases. Region pinning negotiated per Enterprise contract.
TLS 1.3 termination at the edge. AES-256-GCM at rest by default on managed Postgres. Backups encrypted with provider-managed keys. No customer data leaves a TLS-encrypted channel in normal operation.
Role-based access control with audit logs on every workspace mutation. Workspace-scoped tokens — no cross-tenant access. SSO (SAML / OIDC) available on Enterprise tier. Production deploys via least-privilege CI keys; no shared credentials.
Report security incidents to walid@brevux.com. Target acknowledgement window: 24h business hours. SLA terms negotiated per contract on Enterprise tier. Public post-mortems for high-severity incidents within 7 business days of resolution.