Trust
Security
Last updated June 16, 2026
Security is built into how we design and ship systems — not added at the end. This page describes the principles and practices we follow for client work and for operating brixloop.com.
We are transparent about what we do and do not claim. Brixloop does not hold SOC 2, ISO 27001, or HIPAA certifications unless explicitly stated in a signed client agreement for a specific engagement.
1. Security principles
- Least privilege — access is granted only to what each role needs
- Encryption by default — TLS in transit; encryption for sensitive data at rest
- Privacy by design — data minimization and clear retention boundaries
- Defense in depth — layered controls across application, infrastructure, and operations
- Audit-ready foundations — logging and access trails suitable for enterprise review
2. How we secure client projects
Application security
- Secure authentication and session handling patterns
- Input validation and protection against common web vulnerabilities
- Secrets stored outside source code using environment or vault patterns
- Dependency review and patch cadence appropriate to project risk
AI and data handling
- Clear boundaries for what data is sent to third-party model providers
- Prompt and output handling designed around client confidentiality requirements
- Configurable retention and logging based on engagement scope
- Human-in-the-loop controls where automated decisions carry risk
Infrastructure
- Cloud infrastructure configured with network isolation where appropriate
- Backups and recovery planning aligned to project criticality
- Environment separation between development, staging, and production
- Monitoring and alerting for availability and error anomalies
3. Access and operations
Production access is limited to engineers who need it for delivery and support. We avoid shared credentials, rotate secrets when roles change, and document handoff procedures so clients retain control of their systems after launch.
4. Compliance-ready foundations
We follow GDPR-aligned data handling principles on our website and in projects where applicable. For clients with specific regulatory needs — including healthcare-adjacent or financial workloads — we scope controls, documentation, and architecture choices during discovery rather than making blanket certification claims.
5. Incident response
If we become aware of a security issue affecting a client system or data we manage, we notify the client without undue delay and work to contain, investigate, and remediate. For active engagements, incident response expectations are defined in the project agreement.
6. This website
Our marketing site uses standard hosting and transport security. Inquiry submissions are transmitted over HTTPS and processed through our email infrastructure. See our Privacy Policy for how we handle personal data.
7. Security inquiries
If you are evaluating Brixloop for a security-sensitive project, include your requirements in your inquiry or email hello@brixloop.com. We are happy to walk through architecture, data flows, and control choices before work begins.