Security & Compliance
Brew’s approach to security, data protection, and compliance
Security Program in Development — Brew is building our security program and working toward certifications. For specific questions, please reach out and we’ll be happy to help.
Our Security Commitment
At Brew, we understand that email marketing involves handling sensitive customer data. We’re committed to implementing robust security practices to protect your data and maintain your trust.
Data Protection
We employ encryption at rest and in transit, secure development practices, and comprehensive access controls.
Continuous Monitoring
Our team continuously monitors for vulnerabilities and emerging threats to ensure platform security.
Compliance Journey
We’re working toward industry-standard certifications to validate our security practices.
Transparency
We believe in being transparent about our security posture and will update this page as our program matures.
We Don’t Train Our Models on Customer Data — Brew does not use your emails, customer data, or any other content you provide to train our AI models. Your data remains private.
Security Overview
Security Framework
Security Framework
Our security program is built on these core principles:
Least Privilege
Access is limited to only those with legitimate business needs, based on the principle of least privilege. We implement strict role-based access controls and regular access reviews.
Consistency
Security controls are applied consistently across all areas of our infrastructure and operations to ensure comprehensive protection.
Defense in Depth
We implement security controls in layers according to the principle of defense-in-depth, ensuring that if one control fails, others remain in place to protect your data.
Continuous Improvement
Our implementation of controls is iterative, continuously improving effectiveness and reducing friction as we grow and as the threat landscape evolves.
Data Protection
Data Protection
Data at Rest
All datastores are encrypted at rest using industry-standard AES-256 encryption. Sensitive collections and tables also use row-level encryption for additional protection.
Data in Transit
Brew uses TLS 1.3 or higher everywhere data is transmitted over potentially insecure networks, ensuring that all communications between our services and to end users are encrypted.
Data Backup
Brew backs up all production data using a point-in-time approach. Backups are persisted for 30 days and are globally replicated for resiliency against regional disasters.
Data Residency
Brew primarily processes and stores data in the United States. For customers with specific data residency requirements, please reach out and we’ll be happy to help.
Technical Security
Technical Security
Infrastructure Security
Brew’s infrastructure is hosted on AWS with multiple security layers:
- Network Security: VPC isolation, security groups, and network ACLs
- DDoS Protection: Cloudflare and AWS Shield for DDoS mitigation
- WAF: Web Application Firewall for common attack protection
- Intrusion Detection: Real-time monitoring for suspicious activities
Authentication and Authorization
- Multi-factor Authentication: Planned feature, will be available for all accounts in the future
- Password Policies: Strong password requirements enforced
- Session Management: Secure session handling with automatic termination
- Role-Based Access Control: Fine-grained permissions system
Development Security
- Secure Development Lifecycle: Security integrated throughout our development process
- Code Review: Security-focused code reviews for all changes
- Dependency Scanning: Automated scanning for vulnerable dependencies
- CI/CD Security: Security controls in our continuous integration and deployment pipeline
Service Providers
Service Providers
Brew uses carefully selected third-party services to provide our email marketing platform. This section provides transparency about these providers.
We regularly review our service providers to ensure they meet our security and performance standards. This list is updated when providers change.
Core Infrastructure
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting | AWS Security |
| Cloudflare | CDN and DDoS protection | Cloudflare Security |
| Vercel | Deployment and hosting platform | Vercel Security |
| Upstash | Redis and Kafka provider | Upstash Security |
| GitHub | Source code and CI/CD | GitHub Security |
| Datadog | Monitoring and observability | Datadog Security |
Email Delivery
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| Amazon SES | Email delivery service | Amazon SES Security |
AI and Machine Learning
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| OpenAI | AI models for content generation and analysis | OpenAI Security |
| Anthropic | AI models for content generation and analysis | Anthropic Trust & Safety |
| Groq | Ultra-fast processing of open-source AI models | Groq Security |
| Cohere | Enterprise-grade LLMs | Cohere Terms of Use |
| HuggingFace | ML model hosting | HuggingFace Terms of Service |
| X.AI | AI assistants and agents | X.AI Legal |
| AWS SageMaker | Custom ML models | AWS SageMaker Security |
| Flux | AI image generation | Flux Security & IP Protection |
| Midjourney | AI image generation | Midjourney Privacy |
| Recraft | AI image creation and editing | Recraft Security & Privacy |
Data Processing
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| Firecrawl | Web scraping and data extraction | Firecrawl Privacy Policy |
| Unstructured | Data ETL for AI | Unstructured Security |
Payment Processing
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| Stripe | Processes customer credit cards and payments | Stripe Privacy |
Productivity & Collaboration
| Provider | Purpose | Security & Privacy Information |
|---|---|---|
| Google Workspace | Email, calendar, and document collaboration | Google Workspace Security |
| Slack | Team communication and collaboration | Slack Security |
| Vercel v0 | Design and prototyping | Vercel Security |
| Figma | Design and prototyping | Figma Security |
For enterprise customers requiring formal data processing agreements (DPAs) with our service providers, please reach out and we’ll be happy to help.
Acceptable Use Policy
Acceptable Use Policy
Our vision is to help businesses drive more revenue through effective, AI-powered email marketing. We’re committed to maintaining a platform that benefits both senders and recipients.
Prohibited Uses
You may not use Brew for the following:
- Non-Consensual Communications: Sending emails to recipients who haven’t explicitly opted in
- Deceptive Practices: Using misleading subject lines or sender information
- Misrepresentation: Impersonating another individual or organization
- Illegal Content: Distributing content that violates applicable laws
- Harmful Content: Sending malware, phishing attempts, or other harmful content
Email Marketing Requirements
When using Brew, you must:
- Maintain Proper Consent: Have documented consent from all recipients
- Honor Unsubscribe Requests: Process unsubscribe requests promptly
- Include Valid Contact Information: Provide accurate sender information
- Comply with Applicable Laws: Follow relevant regulations including data privacy, email marketing, and accessibility requirements
If you have questions about this policy or would like to report a violation, please reach out and we’ll be happy to help.
Compliance Status
Enterprise Security Requirements
We understand that enterprise customers often have specific security requirements. While we are actively working toward formal certifications, we are committed to meeting your security needs:
- Custom Security Reviews: We welcome detailed security questionnaires and assessments
- Flexible Security Options: Tailored security configurations to meet your organization’s specific compliance and data protection requirements
- Direct Support: Direct access to our security team for your InfoSec professionals
- Transparent Roadmap: Clear timelines for our security certification progress
SOC 2 Compliance
Brew is working towards SOC 2 Type II certification, which will validate our controls around security, availability, processing integrity, confidentiality, and privacy.
Current Status:
- Implementing security controls aligned with SOC 2 requirements
- Developing formal security policies and procedures
- Building monitoring systems to demonstrate control effectiveness
Need SOC 2 for procurement?
If SOC 2 compliance is critical for your organization, we can:
- Accelerate our compliance roadmap to meet your specific deadlines
- Provide detailed documentation of our current controls
- Offer executive-level commitment to your requirements
- Create a custom compliance roadmap for your organization
SOC 2 Compliance
Brew is working towards SOC 2 Type II certification, which will validate our controls around security, availability, processing integrity, confidentiality, and privacy.
Current Status:
- Implementing security controls aligned with SOC 2 requirements
- Developing formal security policies and procedures
- Building monitoring systems to demonstrate control effectiveness
Need SOC 2 for procurement?
If SOC 2 compliance is critical for your organization, we can:
- Accelerate our compliance roadmap to meet your specific deadlines
- Provide detailed documentation of our current controls
- Offer executive-level commitment to your requirements
- Create a custom compliance roadmap for your organization
GDPR and ISO 27001 Compliance
Brew is committed to complying with the General Data Protection Regulation (GDPR) and ISO 27001 standards to protect the personal data of EU citizens and maintain a robust information security management system.
Current Status:
- Developing a comprehensive Data Processing Agreement (DPA)
- Implementing data subject rights request processes
- Establishing appropriate data transfer mechanisms
- Building records of processing activities
- Implementing controls aligned with ISO 27001 requirements
Need a DPA now?
If GDPR compliance is essential for your business, we can:
- Expedite a custom DPA within your timeline
- Provide legal support for your compliance needs
- Implement special data handling procedures
- Offer priority support for data subject requests
Security Assessments
Brew is actively conducting security assessments, including penetration testing by qualified third-party security firms.
Current Status:
- Initial Assessment: We have completed our first internal security assessment
- Planning Phase: We are currently evaluating reputable security firms for our first formal penetration test
- Ongoing Program: We are establishing an annual penetration testing schedule
Security assessment needs?
If you have specific security requirements, we can:
- Accelerate our testing schedule for your timeline
- Share detailed security architecture documentation
- Arrange direct calls with our security engineers
- Develop a custom security assessment plan
Security FAQ
How does sending emails through Brew affect my domain reputation?
How does sending emails through Brew affect my domain reputation?
We take great care of our customers’ domains and sending reputation. We recommend using a subdomain like mail.yourdomain.com for reputation isolation - this protects your main domain while maintaining deliverability. We implement proper SPF, DKIM, and DMARC authentication, plus we have a comprehensive audience hygiene guide to maintain clean lists. Since we only allow consent-based sending (no cold emails ever), protecting domain reputation comes down to sending well-crafted, valuable emails that recipients actually want to receive. Learn more about our domain warm-up process for new senders.
How does Brew protect my customer data?
How does Brew protect my customer data?
Brew employs multiple layers of security controls to protect your data, including encryption at rest and in transit, strict access controls, regular security assessments, and continuous monitoring for threats and vulnerabilities.
Can I get a copy of your security documentation?
Can I get a copy of your security documentation?
We’re currently developing our formal security documentation as part of our compliance initiatives. In the meantime, we’re happy to discuss our security practices in detail. Please reach out and we’ll be happy to help schedule a call with our security team.
Do you have a SOC 2 report available?
Do you have a SOC 2 report available?
We’re working toward SOC 2 Type II certification. While we don’t have a report available yet, we’re implementing controls aligned with SOC 2 requirements. If you have specific compliance requirements, please reach out to discuss.
How do you handle data subject rights under GDPR?
How do you handle data subject rights under GDPR?
We’re building processes to support data subject rights requests, including access, rectification, erasure, and portability. While we finalize these processes, we handle such requests manually. Please reach out and we’ll be happy to help with any data subject rights inquiries.
How does Brew help with email accessibility?
How does Brew help with email accessibility?
Brew incorporates accessibility best practices into its AI-generated emails to help users create more inclusive content. Our platform generates semantic HTML structure, suggests appropriate color contrast, provides fields for alternative text, and designs for keyboard navigation. While these features align with standards like the European Accessibility Act, users maintain control over final content and are responsible for ensuring their specific compliance requirements are met. Learn more about accessibility features in our campaigns documentation.
How do you handle security incidents?
How do you handle security incidents?
We have an incident response plan that defines roles, responsibilities, and procedures for detecting, responding to, and recovering from security incidents. Our team is trained to identify and respond to potential security events quickly and effectively.
Can I conduct my own security assessment of Brew?
Can I conduct my own security assessment of Brew?
We understand that some organizations have requirements to conduct their own security assessments. Please reach out and we’ll be happy to discuss your specific requirements and establish the appropriate scope and methodology.
Need Help?
Our team is ready to support you at every step of your journey with Brew. Choose the option that works best for you:
Search Documentation
Type in the “Ask any question” search bar at the top left to instantly find relevant documentation pages.
AI Assistant Chat
Click the sparkle ✨ icon next to the “Ask any question” search bar in the top left to chat with our AI assistant that’s been trained on our entire documentation.
ChatGPT/Claude Integration
Click “Open in ChatGPT” at the top right of any page to analyze documentation with ChatGPT or Claude for deeper insights.
Search Documentation
Type in the “Ask any question” search bar at the top left to instantly find relevant documentation pages.
AI Assistant Chat
Click the sparkle ✨ icon next to the “Ask any question” search bar in the top left to chat with our AI assistant that’s been trained on our entire documentation.
ChatGPT/Claude Integration
Click “Open in ChatGPT” at the top right of any page to analyze documentation with ChatGPT or Claude for deeper insights.
Schedule a Call
Book time with our founders for personalized guidance on strategy, best practices, or complex implementation questions.
Call Us Directly
Need immediate assistance? Reach us at +1-(332)-203-2145 for urgent issues or time-sensitive questions.
Slack Channel
Our preferred support channel. You’ll receive an invite after signup for direct founder support and fast responses.
Email Support
Contact us at [email protected] for detailed inquiries or if you prefer not to use Slack.