Security & Compliance

Built for trust,
from the first byte

SOC 2 Type 2 certified, encrypted end-to-end, and engineered so your data never leaves your infrastructure.

SOC 2 Type 2
GDPR compliant
AES-256 encryption

SECURITY & COMPLIANCE

Enterprise-Grade Security

SOC2 Type 2 certified with comprehensive security controls and audit capabilities.

SOC2 Type 2 Certified

Role-Based Access

Granular permissions, scoped per channel and team

Audit Logs

Complete activity tracking

Single Sign-On

SAML 2.0 & OAuth

Encryption

AES-256 at rest & transit

Private Links

VPC peering support

Data Residency

GDPR compliant

Access Controls

IP whitelisting

Two-Factor Auth

Additional security layer

99.9%

Uptime SLA

24/7

Monitoring

SOC2

Type 2 Certified

Learn more about security & compliance

Data protection

Your data stays yours

Bruin runs transformations inside your warehouse. Customer data does not leave your infrastructure, and no raw data is ever used to train any model.

Warehouse-native execution

Transformations run inside your Snowflake, BigQuery, Databricks, Redshift, or Postgres. Customer data never leaves your infrastructure.

No model training on your data

Your raw data is never used to train any model. AI calls send only the metadata and SQL needed to answer a question.

Granular retention

Personal data is kept only as long as needed for the service or to meet legal obligations. Delete or export anytime from account settings.

EU data residency

Pick the region your tenant runs in. We support EU residency for customers with GDPR or local data-residency requirements.

Sub-processor transparency

Every third-party processor is contractually bound by data processing agreements that honor our privacy commitments to you.

Data subject rights

Access, correction, deletion, and portability requests are handled in-product or directly via [email protected].

AI privacy

The AI analyst sees metadata, not your raw data

The AI reads schema, metadata, and quality state, generates SQL, and runs it against your warehouse. Only the results needed to answer the question pass through. All model calls go through enterprise LLM endpoints with no-training agreements.

No model training

Your data is never used to train any model, ours or third-party.

Enterprise endpoints

All LLM calls run through enterprise endpoints with no-training agreements.

Warehouse-native

SQL runs in your warehouse. Raw data never leaves your infrastructure.

Infrastructure

Hardened by default

Encryption, isolation, and continuous monitoring across every layer of the platform.

AES-256 encryption at rest

All customer data and backups are encrypted at rest with AES-256 using managed keys.

TLS 1.2+ in transit

All traffic between clients, services, and warehouses is encrypted in transit with modern TLS.

Private network links

VPC peering and private connectivity options are available for enterprise tenants.

Role-based access control

Granular permissions, scoped per workspace, project, and asset. Least privilege by default.

Single sign-on

SAML 2.0 and OAuth on enterprise plans. SCIM provisioning available.

Two-factor authentication

Required for all internal staff. Available for all customer accounts.

Audit logs

Complete activity tracking for queries, asset changes, access, and administrative actions.

24/7 monitoring

Continuous infrastructure and security monitoring with on-call response.

Background checks

All Bruin staff with access to production undergo background checks and sign confidentiality agreements.

Compliance

Standards we meet

SOC 2 Type 2

Audited annually against the AICPA Trust Services Criteria for security, availability, and confidentiality.

GDPR

Lawful processing, data subject rights, and EU data residency. We act as a processor on behalf of our customers.

Sub-processors

Each service provider that processes data on our behalf is bound by data processing agreements honoring our privacy commitments.

Data subject rights

Access, correction, and deletion requests are handled through the in-product settings or by contacting our team directly.

Vulnerability disclosure

Report a security issue

We work with security researchers acting in good faith. If you believe you have found a vulnerability, we want to hear about it.

What to include

  • - Clear description of the vulnerability
  • - Steps to reproduce
  • - Affected URL, endpoint, or component
  • - Screenshots or proof-of-concept
  • - Potential impact

What to expect

  • - Acknowledgment within 3 business days
  • - Regular status updates
  • - Notification when resolved
  • - Credit for your discovery, if you wish
  • - Safe-harbour for good-faith research
Read the full vulnerability disclosure policy

Resources

Documents & policies

Privacy Policy

How we collect, use, and protect personal data.

Terms of Service

Terms and conditions of use for the Bruin website and services.

Vulnerability Disclosure

How to report security issues and what to expect when you do.

Legal Disclosure

Bruin Data Limited company information and impressum.

[email protected]

Direct line to our security team for issues, questionnaires, and audit requests.

[email protected]

Privacy questions, data subject requests, and general inquiries.

Talk to our security team

Need a SOC 2 report, DPA, security questionnaire response, or a deep-dive call? We'll get it to you.

Book a security review Email [email protected]