Built to handle sensitive work.
Brivo processes public records and produces intelligence that ends up in boardrooms, courts, and compliance files. Security is not an afterthought — it is a precondition.
Our posture
We assume breach. We build for recovery. We disclose without delay.
Every system that touches customer data is designed with the assumption that perimeters fail. Defence is layered, access is minimal, and logging is comprehensive.
Questions not answered here can be directed to security@brivo.ltd.
Compliance & attestations
DPA available on request.
Working towards compliance with the Digital Personal Data Protection Act.
Targeted for 2027.
Targeted for 2027.
Security practices
All stored data is encrypted with AES-256. Database volumes, backups, and file stores are encrypted at the block level. Keys are managed through a dedicated secrets management system with automatic rotation.
All connections are enforced over TLS 1.2 or higher. We reject older protocol versions and weak cipher suites. Certificates are auto-renewed and monitored for expiry.
Production access is restricted to named individuals with a documented business need. All access requires MFA. Permissions follow least-privilege principles and are reviewed quarterly. Offboarding revokes access within one hour.
Systems run on cloud infrastructure with network segmentation, private subnets, and no unnecessary public endpoints. Security groups are reviewed on every deployment. Audit logging is enabled across all environments.
We commission independent penetration tests against production systems. Findings are triaged, tracked, and remediated under defined SLAs. Critical findings block releases.
Automated backups run daily with point-in-time recovery enabled. Restores are tested on a regular cadence. Recovery objectives are documented and reviewed with each infrastructure change.
All third-party dependencies are tracked and scanned for known vulnerabilities on every build. High-severity findings block deployments. We maintain a software bill of materials (SBOM) for production services.
We maintain a written incident response plan with defined severity levels, escalation paths, and communication templates. Post-incident reviews are mandatory for any severity-1 event. Affected customers are notified within 72 hours of a confirmed breach.
All staff complete security awareness training before system access is granted and annually thereafter. Phishing simulations run throughout the year. Security practices are part of the engineering hiring process.
Data is retained only as long as required to deliver the service or meet legal obligations. Customers may request deletion of their data at any time. Deletion requests are actioned within 30 days and confirmed in writing.
Self-hosted by default
The fewer parties we share your data with, the fewer parties can lose it.
Where most teams reach for a SaaS, we run our own. Analytics, captchas, and customer support all live on our infrastructure. Visitor data, ticket history, and behavioural signals never reach a third-party vendor.
Privacy-friendly, cookieless. No data leaves our infrastructure.
No third-party challenges. Visitor IPs and behaviour stay with us.
Conversations and ticket history are not shared with a SaaS vendor.
Responsible disclosure
Found something? Tell us before anyone else.
If you discover a vulnerability in Brivo's systems, please report it to security@brivo.ltd. We will acknowledge your report within 24 hours and provide a resolution timeline within 72 hours.
We ask that you give us reasonable time to investigate and remediate before any public disclosure. We do not pursue legal action against researchers who act in good faith under these guidelines.
Please include: affected URL or system, steps to reproduce, potential impact, and your contact details. Encrypted submissions are welcome using the PGP key below.
In scope
- +brivo.ltd and all subdomains
- +brivo.support and all subdomains
- +brivo.network and all subdomains
- +Brivo product domains
Out of scope
- −Third-party services we depend on (report to them directly)
- −Social engineering of Brivo staff or customers
- −Physical attacks against Brivo offices or staff
- −Denial-of-service or volumetric testing
- −Findings from automated scanners without demonstrated impact
Response SLAs by severity
PGP public key
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGoSKtwBEAC7ZznvnBhV/mIVKTa+iIw1r2OoEYsAINRGSJCBRfb3SdrG /TXNA49R81QVZJwGOaNusqZQNFgaAcn8JLK/g/2JQfLUj2ohNzYIOGdx0dT3 Q9cMPXexM9f5kZ7N5OVdnxxd4SyCoyuneUZknm2hk9KVo8/QzLc+CQLtcCW4 Eeni8qEIdKBa1bHcghTcetgA7UOyeXOJRrD6pplqTrQLKOHg+KKNO+1vp45o oPdzEzrttnIt6guhFtJjt4Mq1DZumJQ+CATMjX7Z84yXZGrfmGUhfVEDpKoa MWv7NucfHtugBfpjOjTrIdHn+wdPSLb0RzWi2KweD6v+fostfjrUA9+aM8iN knzqG3DFkr4sPci8n62//2IJOQc7aDFnl1ot+Q4d2GpCyH6euBNOfRss9aro jswv19m6heJ/C1bYHXbXRhcIWRsewIqc3mbq1m9tAWF13vfpiI9L46aLhJ1t xsoXrq/FmXGMQMf3yc2oFupsux5dU+8syAjiCGVRepDAlT1CuY4YZsJ9+SW2 5vSh4qqijvciRL5Po6L8rHFklQj3SDxKVlftbxgTHai0gPai9riIozUh5CH2 TLdc33TbxBauTAyvRn16H0czFSWqrGEr+LRpnZyIS1vZMIATqy+LNp97oKx6 Ob8PK/rBHwOnCenEYg27EI2MvQThwG6s3eAuDwARAQABzSNCcml2byBTZWN1 cml0eSA8c2VjdXJpdHlAYnJpdm8ubHRkPsLBigQQAQgAPgWCahIq3AQLCQcI CZAKTUfwRlgf0AMVCAoEFgACAQIZAQKbAwIeARYhBPkkwfz2wVQeeI56xwpN R/BGWB/QAADIiQ/+MKI1+NNDFYXA6LE8K02BJrvup1MPNOKISW5Rt5hlt6tk qMyEG/ATOgUl3Q0eod6kW1cEKYYa7zudDX86IoBYLiO3UUI0rD8/iwJ+9MHG vDRFSYxavulhrk778vpqwmYu5nQacwKGjXwjZBNXcXhyOCbeBMVa1DSohA1X TC/wJki7brRRHT9JH2ahJUjPN3R02piEsYXbaSVrIAjwH3ZAhC3jsVtVfOMF w+sxciNADO6jsGOUatytrAMZuplO/YVjFls/pdDfu75hi+258zuRR+T/7wE0 2rGkHXMIO4pCTy2iq2FryLF+vD4UK3sm8BzIA2x70ayJ70Y6GOKlxdf4S+Vb wOJGhBysp2SAOybTcPqTCIcX2nHM8KZe47pNAKIOBaX68YkrIyy3IbXe7GWp ThgaYvRUGgh9WnrbcTT5Wc0qDpvFTOko2zPpbhIvHOTr15gqAQ9I1dk2dZkQ h3IkMhp1WEj0rh6idX0+FFPIEg923W5DqtG1jA2xUgnhSDjQUh6ZcccXEFhD 2YXw4Lw1VyR8LZhsq6y94xoznJ1f3uj6Ry2Y2U+64BVQiq5ItzRNeGQsA07m VTdISt/LTw/dpYWb2RXFyGq2N36DWd1SsovExrQAxWduDvnbn7nDaEeykxbS iGAe0cHV9JG6VFhzMkvzRwyTGpn2BWC6/BFUQsjOwU0EahIq3AEQAL1OMjcU 0hIVe1mb5gALMPMKePsMxbwuglSbtAvdt6a/apydu2tyxQO834RkJ8EqPC2U l6SQg5zU4/5YS3bqGyzpxvX/uthIyNvY8jX6dRT9/eyfbZz+3yyDG/efb6tV XW2Lkrb15/U6GheuLnZB0s14cCmD31+mYeAXAf7P/Sl3wx/Up4XKqzjNwugv gc75+SjTxdRNALfzvs81UOuSZm/0aUWNMOBSKUibz/ZTu01yP92S70oqCAXy y40yCTOlDk02ApQ5S8D0vuHMl8/Dm6XBI28nl0iCgFLZiR5sfBZJqWP3yjWe LWPHDjSckr9IN2PclinFm3L30VN4wKimzYiq/mPY1c9pTZIE1T0G1rVHDGDb lm2X3BmfCdRjAtgMyY8kxu/WOSxMYBTs3A4W+ZAno4+Q+nnAM9R53l1E9WO3 41shWPnh8l8WQxnDLYquetrr/KS2ZT/+TenwdTxPUiTGpSCgQkLQPAPAe2oT g2GVutJGA73GNh1wPSLsN14yg6AtvMG3DXs3X3WC1t8Fm7GqrVTECnugyYvk nuZrPsjsRY+eXd3OIo2Vm+ChYPepaKEa4qNsEVulzAeOuU9mQZltuCCp160q HFOM1sUAM2/FdClBhK15Xqny6J6YAIkI37ALbk0d2XIH4iyrE6XxDNPD3u+K zt4e6yeZFztGahS7ABEBAAHCwXYEGAEIACoFgmoSKtwJkApNR/BGWB/QApsM FiEE+STB/PbBVB54jnrHCk1H8EZYH9AAAEpAD/0c7LtDG7N8X0JoIhKhd3Rx 95WQ4RDvDAGRmncydFpQBnpWWymiPme6h5zZtnuOeZqRuzm6zP3UizTR8rQv Wt30RfgdHF9r90cEKcZ3EeW8qY/lTRd9o+9O21ty2mSF7r60/r+QPtV1ZSSc QFyY2dbtYhpOj79xLp7jqfPOEsbX885LSqFBFeNdbBgC60Bl+43nJgvrh+wh HokNkX4uPDero+TvJhBTbkJ1RyDOCbxVyaOrWQWbqsAYp+R6TdqYGVgZv9u8 0UE6o6eiPzN5rK+PpBT6KJaSvusbaq3L1lHSXjXYAsozXSZzkivUFAorQOsN TpWNa8PysYekoRqyHQ+sAy9DmOhd6iaQ5Utfu+ZxIWjwGVUbrSm090HtbKG7 tVxdg4rmzRmGRXL6NkNePjnd2VDAFeu1+DniXQwgf8VHQd1eng7qgrXvk7QY /vLzHY5ztu11XSQCVOnaOWWxSziIceynAZTQrg1uD3p+Ylr3dyBJK/KVm7+Y 2y+hGN1shgr/mFSR6citsIE+PY6JfvNzyDiXIaKcuDeZ/aN91ERBTkBlHtmh So6I+/OXbnrzgqxSlUAE2IUidDNpvVJ1g0tXdnIdonbHZGaJAM5t7GxY106l KZOFyMlymEJSUL9ZpMg6AS0Udin1B238rZqGZW0S0qjbFQbiYMLUBsMNMNEC 9Q== =s4nm -----END PGP PUBLIC KEY BLOCK-----
Verify the fingerprint above against the copy published at /.well-known/security.txt before encrypting anything sensitive. If they don't match, contact us out of band before sending the report.