> ## Documentation Index
> Fetch the complete documentation index at: https://docs.brew.new/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> Brew's approach to security, data protection, and compliance

<Info>
  **Security Program in Development** - Brew is building our security program and working toward certifications. For specific questions, please reach out and we'll be happy to help.
</Info>

## Our Security Commitment

Email marketing means handling sensitive customer data. This page describes how we protect it and where our security program stands today.

<CardGroup cols="2">
  <Card title="Data Protection" icon="lock" color="#c44925">
    We employ encryption at rest and in transit, secure development practices, and comprehensive access controls.
  </Card>

  <Card title="Continuous Monitoring" icon="radar" color="#c44925">
    We monitor for vulnerabilities and new threats.
  </Card>

  <Card title="Compliance Journey" icon="clipboard-check" color="#c44925">
    We're working toward industry-standard certifications to validate our security practices.
  </Card>

  <Card title="Transparency" icon="eye" color="#c44925">
    We publish what our security posture is and update this page as the program matures.
  </Card>
</CardGroup>

### Responsible Disclosure

If you believe you've found a security issue, please notify [legal@brew.new](mailto:legal@brew.new).

<Info>
  **Model training scope** - Brew may use limited samples from Free Plan accounts to train or fine‑tune Brew‑hosted models. Paid plans are excluded from training. We may evaluate outputs and improve systems using limited samples from any account without training models (except Free Plan). See our [Privacy Policy](/legal/privacy-policy) and [DPA](/legal/data-protection-addendum).
</Info>

## Security Overview

### Security Framework

Our security program is built on these core principles:

#### Least Privilege

Access is limited to only those with legitimate business needs, based on the principle of least privilege. We implement strict role-based access controls and regular access reviews.

#### Consistency

Security controls are applied consistently across our infrastructure and operations.

#### Defense in Depth

We implement security controls in layers according to the principle of defense-in-depth: if one control fails, others remain in place.

#### Continuous Improvement

We revisit controls as we grow and as threats change, improving effectiveness and reducing friction.

### Data Protection

#### Data at Rest

All datastores are encrypted at rest using industry-standard AES-256 encryption. Sensitive collections and tables also use row-level encryption for additional protection.

#### Data in Transit

Brew uses TLS 1.3 or higher everywhere data is transmitted over potentially insecure networks, ensuring that all communications between our services and to end users are encrypted.

#### Data Backup

Brew backs up all production data using a point-in-time approach. Backups are persisted for 30 days and are globally replicated for resiliency against regional disasters.

#### Data Residency

Brew primarily processes and stores data in the United States. For customers with specific data residency requirements, please reach out and we'll be happy to help.

### Technical Security

#### Infrastructure Security

Brew's infrastructure is hosted on AWS with multiple security layers:

<ul>
  <li><strong>Network Security</strong>: VPC isolation, security groups, and network ACLs</li>
  <li><strong>DDoS Protection</strong>: Cloudflare and AWS Shield for DDoS mitigation</li>
  <li><strong>WAF</strong>: Web Application Firewall for common attack protection</li>
  <li><strong>Intrusion Detection</strong>: Real-time monitoring for suspicious activities</li>
</ul>

#### Authentication and Authorization

<ul>
  <li><strong>Multi-factor Authentication</strong>: Planned feature, will be available for all accounts in the future</li>
  <li><strong>Password Policies</strong>: Strong password requirements enforced</li>
  <li><strong>Session Management</strong>: Secure session handling with automatic termination</li>
  <li><strong>Role-Based Access Control</strong>: Fine-grained permissions system</li>
</ul>

#### Development Security

<ul>
  <li><strong>Secure Development Lifecycle</strong>: Security integrated throughout our development process</li>
  <li><strong>Code Review</strong>: Security-focused code reviews for all changes</li>
  <li><strong>Dependency Scanning</strong>: Automated scanning for vulnerable dependencies</li>
  <li><strong>CI/CD Security</strong>: Security controls in our continuous integration and deployment pipeline</li>
</ul>

### Service Providers

Brew uses carefully selected third-party services to provide our email marketing platform. For our current list of subprocessors and service providers (including AI/model providers), see: [/legal/subprocessors](/legal/subprocessors). We regularly review providers to ensure they meet our security and performance standards and update that page when providers change.

### Acceptable Use Policy

Summary only - the binding Acceptable Use Policy is maintained as a standalone policy here: [/legal/acceptable-use-policy](/legal/acceptable-use-policy).

Our vision is to help businesses drive more revenue through effective, AI-powered email marketing. We're committed to maintaining a platform that benefits both senders and recipients.

#### Prohibited Uses

You may not use Brew for the following:

* **Non-Consensual Communications**: Sending emails to recipients who haven't explicitly opted in
* **Deceptive Practices**: Using misleading subject lines or sender information
* **Misrepresentation**: Impersonating another individual or organization
* **Illegal Content**: Distributing content that violates applicable laws
* **Harmful Content**: Sending malware, phishing attempts, or other harmful content

#### Email Marketing Requirements

When using Brew, you must:

* **Maintain Proper Consent**: Have documented consent from all recipients
* **Honor Unsubscribe Requests**: Process unsubscribe requests promptly
* **Include Valid Contact Information**: Provide accurate sender information
* **Comply with Applicable Laws**: Follow relevant regulations including data privacy, email marketing, and accessibility requirements

If you have questions about this policy or would like to report a violation, please reach out and we'll be happy to help.

### Policies & Legal

See our [Privacy Policy](/legal/privacy-policy), [Terms of Service](/legal/terms-of-service), [DPA](/legal/data-protection-addendum), and [Subprocessors & Service Providers](/legal/subprocessors). These legal pages are the source of truth; this Security page summarizes them for ease of reading.

## Enterprise Security Requirements

<Info>
  This section applies to customers on our Enterprise plan.
</Info>

We understand that enterprise customers often have specific security requirements. While we are actively working toward formal certifications, we are committed to meeting your security needs:

* **Custom Security Reviews**: We welcome detailed security questionnaires and assessments
* **Flexible Security Options**: Tailored security configurations to meet your organization's specific compliance and data protection requirements
* **Direct Support**: Direct access to our security team for your InfoSec professionals
* **Transparent Roadmap**: Clear timelines for our security certification progress

## Need help?

Our team is ready to support you at every step of your journey with Brew. Choose the option that works best for you:

<Tabs>
  <Tab title="Self-Service Tools">
    <CardGroup cols="2">
      <Card title="Search Documentation" icon="magnifying-glass" color="#c44925">
        Type in the "Ask any question" search bar at the top left to instantly find relevant documentation pages.
      </Card>

      <Card title="ChatGPT/Claude Integration" icon="robot" color="#c44925">
        Click "Open in ChatGPT" at the top right of any page to analyze documentation with ChatGPT or Claude for deeper insights.
      </Card>
    </CardGroup>
  </Tab>

  <Tab title="Talk to Our Team">
    <CardGroup cols="2">
      <Card title="Schedule a Call" icon="calendar" color="#c44925" href="https://calendar.google.com/calendar/u/0/appointments/schedules/AcZssZ1iYoRUG1J792XQpbuQLjSRRDupr7MwraFK-HQRCtTYdBmrQi8nZu2qXfzKQigb8gbKJK3KN3-R">
        Book time with our founders for personalized guidance on strategy, best practices, or complex implementation questions.
      </Card>

      <Card title="Call Us Directly" icon="phone" color="#c44925">
        Need immediate assistance? Reach us at **+1-(332)-203-2145** for urgent issues or time-sensitive questions.
      </Card>

      <Card title="Slack Channel" icon="slack" color="#c44925">
        Our preferred support channel. You'll receive an invite after signup for direct founder support and fast responses.
      </Card>

      <Card title="Email Support" icon="envelope" color="#c44925" href="mailto:support@brew.new">
        Contact us at **[support@brew.new](mailto:support@brew.new)** for detailed inquiries or if you prefer not to use Slack.
      </Card>
    </CardGroup>
  </Tab>
</Tabs>
