Security
practices.

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. We never transmit credentials, API keys, or sensitive customer data over unencrypted channels.

Multi-factor authentication is enforced on all studio accounts. Client portal access uses passwordless email magic links via Resend, eliminating password-related attack vectors.

All Brevity-built systems use Supabase with Row-Level Security policies enforced at the database layer. No client data is accessible without explicit policy authorization.

Every privileged action (admin logins, data exports, permission changes, deletions) is logged with timestamp, actor, and action. Logs are retained for 90 days minimum.

We work only with vendors that meet SOC 2 Type II or equivalent standards: Vercel, Supabase, Stripe, Resend, Anthropic, OpenAI, AWS. We can produce vendor security documentation on request.

We follow a 24-hour breach notification policy. Any suspected security incident is investigated immediately, contained within 24 hours, and disclosed to affected clients within 72 hours per GDPR requirements.

Automated dependency scanning via Dependabot. Critical and high-severity vulnerabilities are patched within 24 hours of disclosure. Production deploys are signed and audited.

Production access is restricted to active partners. Permissions follow least-privilege principle. Departing team members lose all access within 1 business hour.