Trust center

• HTTPS/TLS for public traffic.
• Security headers, including CSP, HSTS, X-Frame-Options, and Permissions-Policy.
• Supabase row-level security for workspace isolation.
• Role-based workspace permissions for destructive actions.
• Audit logging for scan starts, findings, plan changes, member changes, and admin actions.
• Rate limits on auth, contact, scan, and public endpoints.
• Webhook signature checks for billing events.
• Secrets stored in environment variables, with a documented rotation runbook.

Hosted scans store scan metadata, target configuration, request and response bodies, kill-chain nodes, proof artifacts, findings, and audit logs so Brektra can render replays and reports. Retention is plan-based and described in the Privacy Policy.

We do not sell customer data, do not use customer data for advertising, and do not use it to train third-party models.

Current subprocessors are listed in the Privacy Policy. The main services are Vercel, Supabase, Anthropic, Dodo Payments, Resend, GitHub, and Plausible Analytics.

Brektra is not SOC 2 audited and does not hold ISO 27001, PCI DSS, or HIPAA certification at this stage. Product findings can map to SOC 2 Trust Services Criteria and ISO 27001 controls for customer reporting, but that mapping is not a certification of Brektra itself.

Report vulnerabilities to security@brektra.com. Scope, safe harbor, and response expectations are documented in our Responsible Disclosure policy and Security Policy.

Live service checks and incident history are published at /status. The status page checks Supabase, the LLM proxy, Dodo Payments, and the GitHub App path.

Security: security@brektra.com
Privacy: privacy@brektra.com
Legal: legal@brektra.com
Sales: sales@brektra.com
Support: support@brektra.com