Security

Last updated: October 10, 2025

We design automations with a security-first mindset: minimal data collection, least-privilege access, and clear auditability. Below is a summary of our current practices.

1) Data Handling & Access

  • Principle of least privilege for accounts, API keys, and service roles.
  • Segregated environments for development and production where applicable.
  • Scoped, expiring tokens for third-party integrations whenever supported.

2) Encryption

  • Encryption in transit via TLS for all supported services.
  • Encryption at rest handled by our hosting and data providers where enabled.

3) Secrets Management

  • API keys and credentials stored in managed secret stores or env vars.
  • No credentials in code repos; access restricted to authorized personnel.

4) Hosting & Providers

We deploy on reputable cloud platforms with strong baseline security (e.g., Vercel, Render, AWS, GCP). We assess providers for security posture and limit data exposure to what's necessary. A current list of sub-processors is available upon request.

5) Monitoring & Logging

  • Operational logs for automation runs, errors, and performance.
  • Access logging for admin actions where supported by platforms.
  • Periodic reviews to remove stale access and rotate credentials.

6) Backups & Continuity

  • Backups for critical configuration and data where applicable.
  • Documented recovery procedures and regular spot tests.

7) Incident Response

We maintain an escalation process for potential incidents: triage, containment, remediation, post-mortem, and client notification consistent with legal and contractual requirements.

8) Vulnerability Disclosure

If you believe you've found a security issue, please email security@brooksmorris.com. We'll acknowledge, investigate, and address validated issues. Please avoid public disclosure until remediation.

9) Customer Responsibilities

  • Maintain your own platform accounts, roles, and MFA.
  • Review and approve automation permissions and scopes.
  • Provide appropriately de-identified data where possible.

10) Compliance

While we are not currently certified under SOC 2/ISO 27001, we align our practices with common controls where feasible. For regulated data (e.g., HIPAA, PCI), special terms, architecture, and tooling may be required and must be agreed in writing before any such processing.

11) Contact

Security questions: security@brooksmorris.com.