Skip to content

Security

Trust earned, not claimed.

What we do today, what we're working toward, and what we won't pretend.

Encryption

Documents at rest are encrypted with AES-256 by our object storage; application data lives in a managed Postgres 18 cluster (Railway, US region) encrypted at rest by the host. All connections use TLS 1.3 minimum. Per-document SHA-256 hashes are recorded at ingest, and each produced file is hash-verified at packaging.

Schema-per-tenant isolation

Each firm's data lives in its own Postgres schema. There is no shared table, no shared row. The database literally does not have a path between two firms' data.

The architecture is built on django-tenants — a battle-tested pattern that physically scopes every query to the firm's schema based on the resolved tenant. A cross-tenant data leak would require a database-level configuration error, not an application bug.

SOC 2 — where we are, honestly

Brevio is pre-audit. SOC 2 Type II audit kicks off Q3 2026. In the meantime:

  • Optional firm-wide MFA enforcement, controlled by firm administrators
  • Append-only audit log on every action affecting documents, holds, productions
  • Per-firm encrypted credential vault for AI provider keys
  • Tenant-isolated Stripe billing with idempotent webhook handling
  • JWT in HttpOnly Secure cookies, SameSite=Strict

We won't put a SOC 2 badge on this site until we have one. If your firm's information-security review needs a Type I letter or a DPA, email [email protected].

Audit log

Every meaningful action is recorded with actor, role, timestamp, and scope snapshot. The log is append-only — no edit, no delete. The Defensibility Report renders straight from these records.

Brevio audit log screenshot

Discovery without the vendor

Your data is yours. Export anytime, in standard formats — Concordance DAT, EDRM XML, native files with their original metadata. No retention hostage. No proprietary container format you can't open without us.

Sub-processors

ProcessorPurposeRegion
StripePayment processingUS
ResendTransactional email deliveryUS
RailwayApplication hosting + PostgresUS
Cloudflare R2Document storage (S3-compatible)US
OpenAIAI: summary, coding suggestions (per-firm key)US
AnthropicAI: summary, coding suggestions (per-firm key)US
SentryError & performance monitoring (no document contents)US
PostHogProduct analytics (no session recording)US

Ready to put it through its paces?

No credit card required.