B Brevy
Features Pricing How It Works Documentation Sign In Get Started

On This Page

  • Security Overview
  • Infrastructure
  • Data Encryption
  • Access Controls
  • AI Model Security
  • Voice Data (Gemini Live)
  • Code Processing
  • Vulnerability Reporting
  • Compliance
  • Data Breach Response
  • Contact Security Team
Updated June 15, 2026

Security

Your code and data security is our top priority. Learn how we protect everything you build with Brevy.

TLS 1.3 in Transit AES-256 at Rest Zero Training on User Code

1. Security Overview

Brevy takes a security-first approach to building our AI coding workspace. We understand that developers trust us with their most sensitive asset — their source code. Our security practices are designed to protect your data at every layer, from the moment you type to the moment the AI response returns.

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. No unencrypted data is ever stored or transmitted.

Zero Code Training

We never use your source code to train AI models. Your code is processed for your requests only and is not retained for model improvement.

Secure Authentication

Industry-standard bcrypt password hashing, short-lived JWT tokens, and refresh token rotation protect your account access.

Isolated Processing

Your code is processed in isolated, ephemeral environments. Data from different users never mixes, and processing context is discarded after each request.

Real-Time Monitoring

Automated security scanning, intrusion detection, and anomaly monitoring across all infrastructure components, 24/7.

99.9% Uptime

Redundant infrastructure with automated failover ensures reliable service availability and data durability.

2. Infrastructure Security

Our infrastructure is designed with defense-in-depth principles, implementing security controls at every layer of the technology stack.

2.1 Cloud Infrastructure

  • Hosted on SOC 2 Type II certified cloud infrastructure providers.
  • All servers run in isolated Virtual Private Cloud (VPC) environments with strict network segmentation.
  • Automated infrastructure provisioning using Infrastructure-as-Code (IaC) ensures consistent security configurations.
  • Regular automated vulnerability scanning and patch management across all hosts.

2.2 Network Security

  • DDoS protection — automated mitigation of distributed denial-of-service attacks at the network edge.
  • Web Application Firewall (WAF) — filtering and monitoring of all HTTP traffic to block common attack vectors.
  • Network segmentation — strict isolation between production, staging, and development environments.
  • Intrusion Detection System (IDS) — real-time monitoring for unauthorized access attempts and anomalous traffic patterns.
  • Rate limiting — API rate limiting to prevent abuse and ensure service availability for all users.

2.3 WebSocket Security

The VS Code extension communicates with our backend via secure WebSocket connections (WSS). All WebSocket traffic is encrypted using TLS 1.3, authenticated via JWT tokens, and subject to the same rate limiting and access controls as HTTP API requests. WebSocket connections are automatically terminated after periods of inactivity.

2.4 Data Residency

User data is processed and stored in geographically redundant data centers. We implement data residency controls for enterprise customers who require data to remain within specific jurisdictions.

3. Data Encryption

3.1 Encryption in Transit

🔒 TLS 1.3 All data transmitted between your device, our servers, and third-party AI providers is encrypted using TLS 1.3 — the latest and most secure version of the Transport Layer Security protocol.

  • All HTTPS connections enforce TLS 1.3 with strong cipher suites.
  • WebSocket connections use WSS (WebSocket Secure) encryption.
  • Certificate pinning in the VS Code extension prevents man-in-the-middle attacks.
  • HSTS (HTTP Strict Transport Security) headers enforce HTTPS on all web traffic.
  • No mixed content or unencrypted data transmission is permitted.

3.2 Encryption at Rest

🔐 AES-256 All stored data — including databases, file storage, backups, and API keys — is encrypted at rest using AES-256, the industry gold standard for symmetric encryption.

  • Database encryption — all database records (account info, chat history, billing data) are encrypted at rest.
  • File storage encryption — all files and blobs are stored with server-side encryption.
  • Backup encryption — all backups are encrypted and stored in separate, access-controlled locations.
  • Key management — encryption keys are managed using a dedicated key management service (KMS) with automatic key rotation.

3.3 Password Security

  • Passwords are hashed using bcrypt with salt rounds ≥ 12 before storage.
  • Plain-text passwords are never stored, logged, or transmitted internally.
  • Password strength requirements are enforced at account creation and update.
  • Brute-force protection limits login attempts and triggers account lockout after repeated failures.

4. Access Controls

4.1 Authentication & Sessions

Security Control Implementation
Password Hashing Bcrypt with salt rounds ≥ 12
Access Token Lifetime 15 minutes (JWT)
Refresh Token Rotation Automatic on each use, 30-day expiry
Session Management Secure, HttpOnly, SameSite cookies
OAuth Support GitHub, Google (PKCE flow)
Account Lockout After repeated failed login attempts

4.2 Internal Access Controls

  • Principle of Least Privilege — no employee has standing access to production systems or user data. Access is granted on a need-to-know basis with time-limited permissions.
  • Role-Based Access Control (RBAC) — all internal systems implement role-based access with granular permissions.
  • Audit Logging — all access to production systems and user data is logged with user identity, timestamp, action, and resource. Audit logs are immutable and retained for 12 months.
  • Multi-Factor Authentication (MFA) — required for all employee access to production infrastructure, code repositories, and administrative systems.
  • Background Checks — all employees with access to sensitive systems undergo background checks prior to employment.

5. AI Model Security

Using AI models from third-party providers introduces unique security considerations. We address these with a comprehensive approach:

5.1 Data Flow Security

  • Code context is transmitted to AI providers only when you explicitly initiate a request — there is no background transmission of your code.
  • All transmissions to AI providers use TLS 1.3 encryption.
  • No user-identifiable information is included in AI requests beyond what is strictly necessary for the coding task.
  • Request metadata (timestamps, model used) is separated from content data.

5.2 Provider Security Requirements

We require all AI model providers to meet the following minimum security standards:

  • SOC 2 Type II certification or equivalent.
  • Data processing agreements (DPAs) with specific provisions for code data.
  • No training on user-submitted code without explicit consent.
  • Encryption of data in transit and at rest.
  • Regular third-party security audits.

5.3 BYOK (Bring Your Own Key) Security

API Key Protection: When you provide your own API keys, they are encrypted using AES-256 and stored in a dedicated credential vault separate from application databases. Keys are decrypted only at the moment of request transmission, are never logged in plaintext, and are not accessible to any Brevy employee.

  • API keys are encrypted with AES-256 using a dedicated key management service.
  • Keys are decrypted only in memory during request transmission and immediately discarded.
  • Keys are never included in logs, error reports, or analytics data.
  • You can delete your stored API keys at any time from the dashboard.
  • With BYOK, requests go directly from our servers to the provider you configured — we act only as a secure pass-through.

5.4 Model Output Safety

  • AI-generated content is treated as untrusted input. We do not execute or automatically deploy AI-generated code.
  • Content filtering is applied to block generation of malware, exploits, and other harmful code patterns.
  • Rate limiting prevents abuse and ensures equitable access to AI resources.

6. Voice Data Security (Gemini Live)

Brevy's voice coding feature uses Google Gemini Live for real-time voice processing. This introduces additional security considerations:

  • Real-time streaming only — voice audio is streamed to Google's servers in real time for processing and is never stored by Brevy. Audio data exists only for the duration of the active session.
  • Microphone access control — Brevy only accesses your microphone when you explicitly enable voice mode. The extension does not have persistent microphone access and cannot record audio in the background.
  • No persistent audio storage — voice recordings are not saved to disk, cached, or retained in any form after the session ends.
  • Transcription handling — text transcriptions of voice input may be temporarily cached (up to 24 hours) to enable the coding workflow, but are purged automatically.
  • Google's processing — voice data is processed by Google in accordance with their privacy policy. Google does not use Gemini Live audio data for advertising or model training.

7. Code Processing Security

7.1 Ephemeral Processing

Your code is processed in ephemeral, isolated environments that are destroyed after each request. Code context is held in memory only for the duration of the AI request and is not persisted to disk or databases.

7.2 No Cross-User Contamination

  • Each user's code is processed in its own isolated execution context.
  • There is no cross-user data sharing, inference, or contamination.
  • Processing environments are reset between users and requests.

7.3 Workspace Context

When the extension reads files from your workspace for context, it does so locally on your machine. Only the relevant code snippets that you explicitly select or that are necessary for your request are transmitted to our servers and then to the AI provider. Full workspace contents are never transmitted.

7.4 Autocomplete Security

  • Code completions are generated based on the visible context in your editor — typically the open file and a limited window of surrounding code.
  • Completion data is transmitted over encrypted channels and processed in isolated environments.
  • Completion history is not stored beyond the active session unless you explicitly enable conversation persistence.

8. Vulnerability Reporting

We take security vulnerabilities seriously and appreciate the security research community's efforts in helping us keep our users safe.

8.1 Reporting a Vulnerability

If you discover a security vulnerability in the Brevy service, VS Code extension, or website, please report it responsibly:

  • Email: security@brevy.com
  • Subject line: "[VULNERABILITY] Brief description"
  • Include: Description of the vulnerability, steps to reproduce, potential impact, and any suggested fixes.

8.2 Responsible Disclosure

We request that you:

  • Allow us reasonable time (up to 90 days) to investigate and address the vulnerability before public disclosure.
  • Do not access or modify data belonging to other users.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • Do not publicly disclose the vulnerability until we have confirmed a fix is in place.

8.3 Bug Bounty

We are committed to recognizing and rewarding security researchers who help us identify vulnerabilities. Depending on the severity and impact of the reported issue, we may offer:

  • Public acknowledgment (with your permission).
  • Brevy credits or subscription upgrades.
  • Monetary rewards for critical vulnerabilities.

9. Compliance & Certifications

Brevy is committed to meeting industry-standard compliance requirements:

SOC 2 Type II

Our infrastructure providers maintain SOC 2 Type II certification, ensuring rigorous security controls and regular third-party audits.

GDPR Compliant

We comply with the EU General Data Protection Regulation, including data subject rights, data processing agreements, and appropriate transfer mechanisms.

CCPA / CPRA

We comply with the California Consumer Privacy Act and California Privacy Rights Act, providing California residents with enhanced privacy rights and controls.

We are actively pursuing additional compliance certifications and will update this page as new certifications are obtained. Our compliance posture is reviewed annually by independent third-party auditors.

10. Data Breach Response

In the unlikely event of a data breach, we have a comprehensive incident response plan in place:

10.1 Response Process

Phase Timeline Actions
Detection & Containment Within 1 hour Automated alerts trigger incident response team activation. Affected systems are isolated immediately.
Assessment Within 24 hours Scope and impact assessment. Identification of affected data types and users. Root cause analysis initiated.
Notification Within 72 hours Affected users notified via email. Relevant supervisory authorities notified as required by law (GDPR: within 72 hours).
Remediation Ongoing Vulnerability patched, affected systems restored, security controls strengthened to prevent recurrence.
Post-Incident Review Within 2 weeks Comprehensive post-mortem, lessons learned, and updated security controls published.

10.2 What We Will Do

  • Notify affected users as quickly as possible with clear information about what happened and what data was affected.
  • Provide specific guidance on steps you can take to protect yourself.
  • Engage independent security experts to assist with investigation and remediation.
  • Cooperate fully with law enforcement and regulatory authorities as required.
  • Publish a transparent post-incident report detailing the incident and our response.

11. Contact the Security Team

For security-related inquiries, vulnerability reports, or any concerns about the safety of your data, please contact our security team:

Security Issues & Vulnerabilities security@brevy.com
General Security Inquiries security@brevy.com
Privacy Concerns privacy@brevy.com
Legal & Compliance legal@brevy.com

We aim to respond to all security inquiries within 24 hours for critical issues and within 3 business days for general inquiries.

Emergency: If you believe your account has been compromised or you have evidence of a data breach, please contact us immediately at security@brevy.com with "[URGENT]" in the subject line. We have a 24/7 on-call security team for critical incidents.

B Brevy

The AI coding workspace for modern developers.

Product

Features Pricing How It Works Dashboard

Resources

Documentation Blog Community Changelog

Company

About Careers Contact Press Kit

Legal

Privacy Policy Terms of Service Security

© 2025 Brevy. All rights reserved.