Security

Brain is governance infrastructure for regulated industries. Our security posture reflects that — your data stays in your environment, every decision is audit-trailed, and we practice the same deterministic enforcement we sell.

Data isolation

Each customer's knowledge graph runs in a namespace-isolated environment. No cross-tenant data access is architecturally possible. VPC deployments keep all data within your infrastructure boundary.

Immutable audit trail

Every gate decision, conflict resolution, and consensus score change is recorded in a hash-chained ledger. Tamper-proof by design. Export anytime for compliance review.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. API keys are hashed with bcrypt. Secrets management via Google Cloud Secret Manager with automatic rotation.

Access control

Role-based access: Viewer, Contributor, Domain Expert, Admin. Firebase authentication with JWT tokens. Every API request is authenticated and authorized against the permission model.

Zero-trust architecture

No implicit trust between services. Every internal call is authenticated. Database connections use SSL with certificate verification. Network segmentation between all service layers.

Continuous monitoring

Real-time alerting on anomalous access patterns. Structured logging across all services. Error tracking with automatic escalation. No silent failures — Brain practices what it preaches.

Data flow architecture

┌─────────────────────────────────────────────────────────┐
│  Your Infrastructure                                     │
│                                                         │
│  ┌───────────┐    ┌──────────────┐    ┌──────────────┐  │
│  │ Your Agent│───▸│ Brain Gate   │───▸│ Knowledge    │  │
│  │ (any LLM) │    │ ALLOW|BLOCK  │    │ Graph (Neo4j)│  │
│  └───────────┘    └──────────────┘    └──────────────┘  │
│                          │                              │
│                   ┌──────┴───────┐                      │
│                   │ Audit Ledger │   ← hash-chained     │
│                   │ (immutable)  │                      │
│                   └──────────────┘                      │
│                                                         │
└─────────────────────────────────────────────────────────┘
          ↕ TLS 1.3 (cloud-hosted only)
┌─────────────────────────────────────────────────────────┐
│  Brain Control Plane                                    │
│  (config, telemetry, license — no customer data)        │
└─────────────────────────────────────────────────────────┘

EU AI Act

Art. 11, 12, 13 ready

GDPR

Data processing compliant

VPC Deploy

Your infra, your data

2,000+ Tests

Continuous verification

Vulnerability disclosure

If you discover a security vulnerability in Brain, please report it to security@theup.io. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Infrastructure

Brain's cloud-hosted service runs on Google Cloud Platform with the following security controls:

Kubernetes with pod-level security policies and network policies
Neo4j Aura (managed, SOC 2 Type 2 certified) for knowledge graph storage
MongoDB Atlas (managed, SOC 2 Type 2 certified) for metadata
EU region deployment available for data residency requirements
Automated vulnerability scanning on all container images
Infrastructure-as-code — no manual server configuration

Need a security review for procurement?

We're happy to provide architecture walkthroughs, data flow documentation, and answer your security questionnaire.

Request Security Review