Brown Thrasher Labs
Brown Thrasher Labs
HomePlatformPricingIntegrationsSecuritySupport
Sign InBook a Demo

BTL · Security

Production-grade security.

Granular RBAC down to the field. Isolated deployments per client. An audit trail on every admin and billing action.

Request security docs

01. Compliance

Status, not slogans.

Where each framework stands today, what's in flight, and what documents your security team can request.

01SOC 2 Type IIPlannedNot started yet. This table is our current posture; we will not claim an audit before one exists.
02GDPRSelf-attestedDPA and EU Standard Contractual Clauses available on request.
03CCPASelf-attestedOpt-out, access, and deletion rights honored. See privacy policy.
04ISO 27001ReferenceNot certified. We use its control checklist where it fits a company our size.
05HIPAAOn requestBAA available for healthcare workloads. We review the workload together before signing.
06EncryptionDefaultAES-256 at rest, TLS in transit. Managed keys via AWS KMS.

Last reviewed · May 2026

02. Access controls

RBAC, granular.

Permissions cascade from organization to workspace to record to field. Least privilege enforced at every layer.

Per-collection roles

01

Define read, write, and admin scopes on every collection. Roles cascade across nested resources without leaking access.

  • Granular scope per collection
  • Inheritance with overrides
  • Custom role definitions
  • API parity with UI controls

Per-field redaction

02

Mask sensitive columns at the data layer. PII, financial fields, and credentials never reach the wrong viewer.

  • Field-level encryption
  • Conditional redaction
  • Per-role visibility rules
  • Server-enforced masking

03. Infrastructure

Isolated. Encrypted.

Tenant boundaries enforced at the data layer. Backed up with point-in-time recovery.

01

Tenant-isolated by default

Every customer's data lives in a logically isolated namespace. No cross-tenant queries are possible at the data layer.

02

Isolated deployments

Each client build runs with its own login pool and its own database. There is no shared multi-tenant blob to leak across.

03

Backups we actually restore

Managed backups with point-in-time recovery on AWS us-east-1. We test restores, not just snapshots.

04

Least-privilege networking

Service-to-service auth with short-lived credentials. No standing admin access.

04. Audit & monitoring

Every action. Logged.

Full attribution on every view, click, export. SSO with the providers your team already uses. Automated monitoring with a documented response process.

01
Audit Logs · Admin, Billing, and Account Actions
02
SSO · Scoped Per Engagement via AWS Cognito
03
Role-Based Access Control on Every Admin Surface
04
Uptime and Error Monitoring with Alerts
05
Incidents Go Straight to an Engineer
06
Adversarial Review Before Money Paths Ship

Need a deeper review?

Built on trust.

Send the questions your security team needs answered. We'll reply with the documents we can share today and a schedule for what's in flight.

Request security docs