Security

Infrastructure

GoBrief runs on Cloudflare Workers globally, with Cloudflare D1 (SQLite-backed, multi-region replicated) as our primary database and Cloudflare R2 for object storage. Cloudflare's infrastructure is SOC 2 Type 2, ISO 27001, and PCI DSS Level 1 compliant.

Encryption

• In transit: TLS 1.3 enforced everywhere (HSTS header sends a 1-year max-age with includeSubDomains).
• At rest: Cloudflare encrypts all D1 and R2 data with AES-256. Enterprise customers can request customer-managed encryption keys.
• Secrets: API keys and sensitive configuration are stored in Cloudflare Workers Secrets (encrypted, not visible in the dashboard after upload).

Access control

• Authentication: NextAuth v5 with Google OAuth and Resend magic links. JWT session strategy, 30-day max lifetime, HttpOnly + Secure cookies.
• Authorization: role-based (owner, admin, coordinator, viewer) per workspace. Every API route scopes queries by org_id; library collections can further restrict by role.
• Invite-only workspaces: joining an existing workspace requires a signed invite token. Random signups can only create new workspaces, never infiltrate an existing one.
• Enterprise SSO (SAML + SCIM): available on the Enterprise plan; talk to us.

Backups + durability

• Automatic daily D1 snapshots written to R2 as JSONL. 30-day rolling retention.
• R2 objects are stored with 99.999999999% (11 nines) durability.
• Point-in-time recovery: we can restore any workspace to its state at any snapshot point within the retention window.

Monitoring + audit

• Every privileged action writes an activity-log row (user, action, object, timestamp). Owners + admins can export the audit log as CSV or JSON from /api/admin/audit-log.
• Cloudflare Observability is enabled for the worker: request traces, errors, and latency.
• A health-check endpoint at /api/health checks DB + Stripe + Resend + Anthropic + auth secrets on every call.
• Security headers (CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) are applied on every response.
• Rate limiting per IP on public endpoints (KV-backed, cross-isolate).

Data handling

• AI analysis of uploads runs via Anthropic and Cloudflare Workers AI. Neither trains on your data. Anthropic retains for at most 30 days for abuse monitoring. See the Privacy Policy.
• Files are served through signed URLs; R2 objects are not publicly addressable without our proxy.
• Library collections support role-gated visibility so contracts and legal documents are locked to owners + admins by default.

Vulnerability disclosure

Think you've found a security issue? Email security@gobrief.co with steps to reproduce. We'll acknowledge within two business days, triage within five business days, and fix validated issues on an appropriate severity timeline (generally: critical within 24 hours, high within 7 days, medium within 30 days). We don't currently run a paid bounty but we'll credit you publicly if you'd like.

Rules of engagement. You must not (a) test against live production workspaces you don't own, (b) access, modify, exfiltrate, or delete other customers' data, (c) conduct denial-of-service testing, social-engineering, or physical-security testing, or (d) publicly disclose a vulnerability before we have had a reasonable opportunity to remediate (90 days, or sooner if mutually agreed). Researchers acting in good faith under these rules will not be subject to legal action from GoBrief under the Computer Fraud and Abuse Act, the DMCA anti-circumvention provisions, or analogous state laws. Request access to our research sandbox by emailing security@gobrief.co.

Incident response

If we determine personal data has been exposed, we'll notify affected workspace owners without undue delay and, where feasible, within 72 hours of confirming the incident, in line with GDPR Article 33 and our Data Processing Addendum. The notification will include, to the extent then known, the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information. Where a breach is likely to result in a high risk to rights and freedoms of individuals, we will coordinate with the affected workspace owner on direct communication to individuals under Article 34. We maintain a written incident-response runbook internally and review it at least annually.

Data processing & DPA availability

Customers (including EU/UK/California customers and any customer whose workspace contains personal data) are covered by our Data Processing Addendum, which is accepted automatically on sign-up and supplements the Terms of Service. The DPA includes GDPR Art. 28 processor obligations, EU Standard Contractual Clauses (Module Two) for international transfers, and a full Security Appendix. Enterprise customers may request a countersigned copy via legal@gobrief.co. A Business Associate Agreement (HIPAA BAA) is available on the Enterprise plan after scoping review.

Service-level targets (paid plans)

• Uptime target: 99.9% monthly, calculated across the full calendar month excluding scheduled maintenance windows.
• RTO (recovery time objective): 4 hours after a confirmed incident.
• RPO (recovery point objective): 24 hours (the daily backup cadence).

A formal SLA with credit mechanics is available for Business, Scale, and Enterprise customers on request.

File safety

Inbound partner uploads are spec-validated and MIME-type-checked on upload, and served from isolated storage with download-safe headers. Full server-side antivirus scanning is on the roadmap for later this year; until it ships, we recommend treating partner uploads with the same care as email attachments.

Compliance roadmap

• Now: GDPR + CCPA compliant posture; standard SaaS security controls.
• In-flight: formal SOC 2 Type 1 audit (targeting Q3 2026).
• Available on Enterprise: audit-log exports, legal hold, custom retention, SSO, private deployment.
• On request: HIPAA BAA scoping (talk to us for healthcare use).