Security

Your brand data deserves enterprise-grade protection

BrandMythos handles your most sensitive brand assets: voice rules, visual systems, competitive positioning. We treat that trust as non-negotiable.

How we protect your data

Encryption everywhere

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Brand assets, extraction outputs, and user credentials never traverse the network in plaintext.

Authentication and access

SAML and OAuth 2.0 single sign-on for enterprise plans. Role-based access control lets you scope permissions per workspace, brand, and export type.

Audit logging

Every extraction, export, team change, and brand update is logged with who, what, when, and from where. Logs are immutable and available for compliance review.

Infrastructure isolation

Production workloads run in isolated environments. Brand data is partitioned per tenant. Business and Enterprise plans support dedicated infrastructure on request.

Regional data residency

Choose where your brand data lives. Enterprise plans support US, EU, and APAC data residency to meet local regulatory requirements.

SOC 2 readiness

Our controls are designed around the SOC 2 Type II trust service criteria. We are currently undergoing our first audit cycle. Enterprise customers can request our security questionnaire.

Team permissions

Admin, Editor, and Viewer roles. Admins control billing, SSO, and data export. Editors manage brands and extractions. Viewers can read but not modify.

Responsible disclosure

We welcome security researchers. Report vulnerabilities to [email protected] and we will respond within 48 hours with a severity assessment and remediation timeline.

Operational security practices

Security is not a feature we ship once. It is embedded in how we build, deploy, and operate every day.

Dependency scanning on every build (Snyk, Dependabot)
Static analysis and linting enforced in CI
Secrets never stored in source control
Quarterly access reviews for production systems
Employee background checks and security training
Incident response plan tested twice yearly
Penetration testing by independent third parties
Minimal data retention: we only keep what you need

Your data stays yours

You retain full ownership of every asset you upload and every extraction we produce from it. We do not train models on your brand data. We do not share it with other customers. We do not use it for anything beyond providing the service you requested.

When you delete a brand workspace, we purge all associated data within 30 days, including backups. Enterprise customers can request immediate purge with written confirmation.

Read our Privacy Policy and Terms of Service for the full legal framework.

Need a security review?

Enterprise and Business customers can request our security questionnaire, penetration test summaries, and architecture documentation.

Contact security team [email protected]