Encryption everywhere
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are rotated automatically and are never shared across tenants.
SECURITY
Enterprise security, by design
Bahoosh was built for organisations where data confidentiality is non-negotiable. Every layer is designed to keep your knowledge inside your boundary.
Per-tenant isolation
Every tenant's data lives in an isolated partition. No shared tables, no shared vector namespaces. Cross-tenant leakage is structurally impossible.
Least-privilege access
Connector credentials are scoped to read-only. API keys are per-tenant and can be revoked instantly. No standing privileged access for @CompanyBrain staff.
Full audit trail
Every query, every index operation, and every admin action is logged with actor identity and timestamp. Immutable audit logs are available on Enterprise plans.
Self-hosting option
Enterprise customers can run @CompanyBrain entirely inside their own VPC or on-premises. Zero outbound telemetry. You control the infrastructure.
Responsible disclosure
We maintain a public security policy and respond to vulnerability reports within 24 hours. CVEs are patched and communicated transparently.
DATA ISOLATION
Multi-tenant by architecture, not by policy
Each tenant's document index, embeddings, and query history are stored in fully isolated database partitions. There is no shared table, no shared namespace, and no possibility of a query from one tenant reaching another's data — even through a bug.
Tenant identifiers are propagated through every layer: ingestion, indexing, vector search, and API responses. The architecture makes cross-tenant data leakage structurally impossible.
Tenant 1
Index
Vectors
History
Tenant 2
Index
Vectors
History
Tenant 3
Index
Vectors
History
Isolated partitions
COMPLIANCE
Built to meet enterprise requirements
SOC 2
SOC 2 Type II
Our infrastructure and processes are audited annually against the AICPA Trust Services Criteria. Reports available to Enterprise customers under NDA.
GDPR
GDPR Ready
Full data processing agreements available. You remain the data controller. We act as a processor and comply with all GDPR obligations.
ISO
ISO 27001 (In Progress)
We are in active pursuit of ISO 27001 certification. Our ISMS covers all production systems and is expected to complete Q3 2026.
HIPAA
HIPAA (Enterprise)
Enterprise self-hosted deployments can be configured for HIPAA compliance. Business Associate Agreements available on request.
FAQ
Security questions answered
Does @CompanyBrain train AI models on my data?
No. Your documents are used only to build your private knowledge index. They are never shared with third parties or used to improve shared models.
Where is data stored?
Cloud-hosted plans use Azure data centres in the EU West region by default. Enterprise plans can specify any supported region or self-host entirely.
Who can access my data?
Only authenticated users in your tenant. @CompanyBrain staff have no standing access to customer data. Emergency access requires dual approval and is logged.
Can I export my data?
Yes. You can export your full document index, query history, and settings at any time from the dashboard. Export is available even during a cancellation.
How are connector credentials stored?
Credentials are stored encrypted using Azure Key Vault with tenant-specific keys. They are never logged, exposed in API responses, or accessible to support staff.
What happens during a security incident?
We notify affected customers within 24 hours of confirmed breach. We maintain a detailed incident response plan and conduct post-mortems for any P0 events.
NEED MORE DETAILS?
Talk to our security team directly
We can provide our full security documentation, SOC 2 report, and answer architecture questions on a call.