BrezelScraper Logo

Legal

Security

Last updated: May 27, 2026

brezel.ai ("brezel.ai," "we") takes the security of BrezelScraper (the "Service") and the data it processes seriously. This page summarizes the technical and organizational measures in place. It is a living document — the date at the top of the page reflects the most recent revision.

1. Encryption

  • In transit: all traffic to and from the Service is encrypted with TLS 1.2 or higher. HTTP requests are redirected to HTTPS at the edge. HSTS is enabled on brezelscraper.com.
  • At rest: the managed database and object storage we use encrypt data at rest using industry-standard symmetric encryption. Backups are encrypted.
  • Secrets: API keys, OAuth tokens, and webhook signing secrets are stored hashed or encrypted. Session identifiers are never logged in plaintext.

2. Access controls

  • Production access is limited to a strictly defined set of authorised personnel under a role-based access-control model. Access is reviewed on personnel changes and at regular intervals.
  • Multi-factor authentication is required for all administrative access to production systems, source-control repositories, and deployment tooling.
  • User-facing roles are likewise role-segregated, with each role limited to the API surfaces necessary for its function.
  • API keys are scoped to the issuing user, are shown in plaintext only once at creation, and can be revoked from the dashboard at any time. Stored credentials are never recoverable in plaintext.

3. Infrastructure

  • Compute: application servers and job runners hosted in the European Union.
  • Database: managed, encrypted relational database in the European Union, with automated backups and point-in-time recovery.
  • Object storage: encrypted object storage in the European Union for job-output artefacts and exports.
  • Edge: a third-party CDN and edge-protection provider handles TLS termination, DDoS mitigation, and perimeter rate-limiting.
  • Payments: all card processing is handled by Stripe on their PCI-DSS Level 1 infrastructure. We never see, store, or transmit full card numbers.
  • Authentication: identity, sign-in, and session management are provided by a SOC 2-compliant identity platform.

Each sub-processor is reviewed for security posture before integration. The complete, up-to-date list of named sub-processors — including legal entity, processing location, and the categories of data each receives — is maintained in our Data Processing Addendum and is available to customers on request at [email protected].

4. Application security

  • Continuous automated dependency-vulnerability monitoring with timely patching of known-vulnerable packages.
  • Hardened browser-security headers, including a Content Security Policy, on dashboard pages.
  • Engineering practices aligned with the OWASP Top 10 secure-coding standards.
  • Defences against cross-site request forgery on state-changing endpoints.
  • Webhook payloads are signed with a per-webhook secret so consumers can verify authenticity.
  • Rate-limiting and per-user quotas on sensitive endpoints to limit the blast radius of a compromised credential.

5. Data handling

  • Customer data is logically segregated by tenant and accessed only through application code that enforces tenant isolation.
  • Scraped job output is retained for as long as your account is active or until you delete the corresponding job, whichever occurs first. You may delete individual jobs (and their outputs) from the dashboard or via the API at any time. To request closure of your account and deletion of associated personal data, email [email protected]. Personal data is removed from active systems within 90 days of account closure; residual copies in encrypted backups are overwritten on the normal backup-rotation cycle.
  • We do not sell, rent, or share personal data with advertising networks or data brokers. See the Privacy Policy for the full list of processors and what each one receives.

6. Responsible disclosure

If you discover a security vulnerability in the Service, please report it to [email protected] with a description of the issue, the steps to reproduce, and any proof-of-concept material. For automated discovery of our reporting policy, see /.well-known/security.txt (RFC 9116). We acknowledge reports within 3 business days and will work with you in good faith on triage, fix timeline, and (where appropriate) credit. We ask that you:

  • Give us reasonable time to remediate before any public disclosure;
  • Avoid privacy violations, destruction of data, and interruption or degradation of our Service;
  • Only interact with accounts you own or have explicit permission to test;
  • Do not engage in social engineering, phishing, or physical attacks against our staff or facilities.

We maintain a vulnerability disclosure program and welcome responsible security reports. Meaningful reports may be recognized publicly with your consent.

7. Incident response

We maintain an internal runbook for security incidents covering triage, containment, eradication, recovery, and post-incident review. In the event of a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by applicable law (within 72 hours where the GDPR applies).

8. Contact

For security questions, vulnerability reports, or compliance inquiries:

brezel.ai
[email protected]