Hosting and isolation
Production is hosted in UK and EEA regions on tier-1 cloud infrastructure. Each customer’s data is logically isolated by tenancy keys, and production access is limited to a named on-call rotation.
Encryption
- AES-256 at rest for all media, transcripts, and reports.
- TLS 1.2+ in transit, HSTS preloaded.
- Per-tenancy media keys; signed URLs for short-lived access.
Evidence integrity
Every photo, video frame, and transcript is hashed and time-stamped at capture. GPS coordinates are recorded from the device. Reports include a chain-of-custody log so adjudicators can verify nothing was edited after the tenant signed.
Identity and signatures
Tenant identity is verified via a one-time link to the email or phone number on the tenancy. Signatures are bound to a UUID, the device, the time, and the IP address - and then cryptographically sealed into the report.
Access control
- SSO and SAML for agency plans.
- Mandatory MFA for all staff with production access.
- Role-based permissions, audit-logged, reviewed quarterly.
Testing and monitoring
- Independent penetration tests at least annually.
- Static and dependency scanning on every change.
- 24/7 anomaly monitoring on the production audit log.
Compliance
Aligned to UK GDPR and the Data Protection Act 2018. SOC 2 Type II is on the roadmap for 2026; ICO registration on file. See our data processing addendum for processor terms.
Reporting a vulnerability
We welcome responsible disclosure. Email ops@heybruno.ai with a proof-of-concept; we acknowledge within one working day and aim to resolve high-severity issues within 30 days.