Security / Trust posture

How we secure the layer.

Security posture, compliance certifications, sub-processor list, and breach-notification policy. Updated quarterly.

POSTURE

Security is engineered, not bolted on.

Bridge's security posture is shaped by the customers Brevor serves: health systems handling PHI, financial services with regulator review, defense contractors with FedRAMP requirements. Every Bridge deployment ships with the same security baseline. Customers configure higher tiers as their environment requires.

The baseline includes encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, full audit logging of administrative actions, automated key rotation, and isolation between deployments. Single-tenant deployments add per-customer key management. Air-gapped deployments (Bridge Stone) remove network egress entirely.

Our security team operates a 24/7 incident response rotation across five offices. The same team contributes the audit-trail specification to the AI Safety Index.

COMPLIANCE

Certifications maintained continuously.

SOC 2 Type II

HIPAA

GDPR

ISO 27001

FedRAMP Moderate

PCI DSS Level 1

CSA STAR

All certifications are maintained on continuous assessment, not point-in-time audits. SOC 2 Type II reports refresh annually. HIPAA BAA executes per deployment. FedRAMP Moderate authorization applies to single-tenant deployments serving federal customers.

ISO 27001 and CSA STAR certifications cover the Brevor operating environment. PCI DSS Level 1 applies to deployments handling payment-card data. GDPR posture is documented in the Data Processing Addendum (DPA).

ENCRYPTION

Data is encrypted by default at every layer.

In transit

TLS 1.3 between all components. Certificate pinning for SDK connections. mTLS for inter-service traffic.

At rest

AES-256 encryption for all stored data. Per-deployment key isolation. Customer-managed key (CMK) option on single-tenant.

Key management

Automated 90-day rotation. Hardware security module (HSM) backing on enterprise tiers. Customer KMS integration available.

Audit data

Audit trails encrypted with separate keys from operational data. Customer-controlled retention and export. 7-year default retention; 10-year HIPAA-aligned for Bridge Health.

SUB-PROCESSORS

Sub-processors and their roles.

The sub-processors listed below provide infrastructure to Brevor Tech, Inc. The list is reviewed quarterly. Customers are notified 30 days in advance of additions or material changes.

Amazon Web Services

Cloud infrastructure (US, EU, APAC regions)

Microsoft Azure

Cloud infrastructure (single-tenant deployments, all regions)

Google Cloud Platform

Cloud infrastructure (Bridge Edu deployments)

Snowflake

Audit data warehousing (US and EU regions)

Databricks

Behavioral analytics (US region)

Okta

Identity provider (Brevor internal)

Datadog

Operational telemetry (US region)

Cloudflare

Edge security (global)

BREACH NOTIFICATION

How we notify customers.

Brevor notifies affected customers of confirmed security incidents within 24 hours of confirmation. Notification includes scope, impact, mitigation status, and remediation timeline.

For incidents subject to regulatory reporting (HIPAA, GDPR, state breach-notification statutes), Brevor coordinates with the customer to meet regulator timelines. Customers maintain primary regulatory notification responsibility for their deployment's data subjects.

Security inquiries route to security@brevortech.com. Active customers escalate via their account team and the 24/7 incident response line documented in the deployment agreement.

Trust packet

Brevor maintains a current trust packet — SOC 2 Type II report, HIPAA BAA template, sub-processor list, DPA, and security questionnaire responses. The packet is shared with active buyers under NDA.

Request trust packet →

Scope a deployment under your security review.

Talk to sales →