We publish the bar before we promise we clear it.
Most AI products ask you to trust the brand. BBB asks you to trust the architecture. This page is the public version of what we send to enterprise security reviewers — no NDA needed.
PDPL-aligned · Per-tenant DEK · RLS on every table · Write-once audit
Most security pages say 'enterprise-grade' and stop. We have a different definition.
If you've sat through a security review, you know the pattern. Vendor sends a brochure. Brochure says 'enterprise-grade encryption.' Two months later, the procurement team finds out the encryption is TLS in transit and nothing at rest, the multi-tenant isolation is 'we hope our application code does it,' and the audit log is Datadog with three-day retention.
BBB engineers around the architecture, not the marketing. The things below are properties of the system — checked at every deploy, exportable as evidence on day one of any regulator request.
Properties, not promises.
Each of these is verifiable in the platform itself — not via a PDF, not via a sales call. They hold whether you have one tenant or ten thousand, on day one or year five.
-
Guarantee 01
Per-tenant DEK encryption
Every tenant's secrets (OAuth tokens, integration credentials) are sealed with a tenant-specific data encryption key (DEK). The DEK is wrapped by your master key (KEK) which YOU control. BBB never sees plaintext. Rotation runbook included.
-
Guarantee 02
Row-level security on every table
Postgres RLS policies — checked at the database layer, not the application layer — scoped to your org_id via JWT. Even if our application code had a bug that tried to fetch your neighbor's data, the database would refuse.
-
Guarantee 03
Write-once audit log
Every state change writes a row to social_audit_log. UPDATE and DELETE are rejected at the SQL level. Exportable on demand for any regulator or internal review. Tamper-evident by design.
-
Guarantee 04
Data residency in-region
All customer data stored in ap-south-1 (Mumbai), aligned with Saudi PDPL adequacy provisions. On-prem deployment for Enterprise customers who need data on their own hardware.
Built-in defenses
What ships in every BBB tenant.
The things that don't fit on a slide but make procurement teams smile.
-
STRIDE threat model · public
Every new feature is threat-modeled before merge using STRIDE. The current model is published in the repo.
-
Jailbreak Atlas
Every adversarial prompt the fleet has encountered is documented with the mitigation that defeats it. Regulator-friendly artifact.
-
Honeytokens
Decoy credentials deployed across the platform that scream when touched. Incident workflow fires within seconds.
-
Monthly purple-team cycle
Argus's department runs a monthly red-team / blue-team exercise. Findings become test cases or honeytokens.
-
PII redaction at boundary
Inbound messages have emails + phone numbers redacted before they hit the audit log. Original lives in encrypted column.
-
Idempotent pipelines
Inbound keyed by (org, platform, external_id). Outbound by deterministic hash. Replay anything without duplicates.
From request to encrypted column.
Walking through the data path of a single inbound message: from the customer's tweet to the encrypted column on disk in ap-south-1. Every layer either provably preserves the integrity or explicitly transforms it.
-
Layer 01
TLS termination
Cloudflare edge → your origin. TLS 1.3 with HSTS preload.
- Cloudflare
- TLS 1.3
- HSTS
-
Layer 02
App layer
Per-request JWT validation against tenant org_id. RLS-bound query.
- Supabase Auth JWT
- RLS policy
- Org-scoped
-
Layer 03
PII redaction
Emails + phones replaced with placeholders before storage in audit log.
- <EMAIL>
- <PHONE>
-
Layer 04
Encryption at rest
Tenant DEK seals OAuth tokens and other sensitive columns. Postgres TDE for the DB volume.
- AES-256-GCM
- Per-tenant DEK
- Wrapped by KEK
-
Layer 05
Storage
Supabase Postgres 17 in ap-south-1. Daily snapshots. Backup encryption with separate key.
- Postgres 17
- ap-south-1
- Daily snapshots
Where we stand on the major frameworks.
Saudi PDPL (Personal Data Protection Law) — aligned. In-region data residency satisfies Article 18. Per-tenant encryption and audit log satisfy Articles 19–21. DSR workflow ships out of the box.
UAE PDPL — aligned. Cross-border transfer adequacy clause respected via in-region storage. On-prem deployment available for entities operating under DIFC.
Qatar PDPPL — aligned. Data sovereignty statement available on request.
EU GDPR — designed-against (we follow GDPR principles even where PDPL is the primary obligation). DSR + DPIA workflows are GDPR-compatible.
SOC 2 Type II — incoming. Targeting external audit Q2 2027. We've operated to the SOC2 Trust Services Criteria internally since launch; the audit is paperwork.
ISO 27001 — incoming, after SOC2.
What happens if something goes wrong.
We classify incidents on the standard severity matrix (S1 through S4). Customer notification commits per severity:
-
S1 · Confirmed customer data exposure
Notify within 24 hours (PDPL requires 72; we go faster). Postmortem published within 5 business days. Honeytokens auto-rotate.
-
S2 · Service degradation
Affecting >10% of customers. Status page update within 15 minutes. Resolution ETA + workaround communicated. Postmortem within 7 business days.
-
S3 · Bug or partial degradation
Logged in our incident tracker; resolved through normal cadence.
-
S4 · Internal observation
Or near-miss. No customer notification; becomes a hardening backlog item.
Status · status.blackbitbrain.com (when publicly live)
Security · [email protected] (PGP key on request)
Want the full security pack under NDA?
We send pre-filled vendor questionnaires (CAIQ, SIG-Lite, custom GCC), the STRIDE threat model, our data-flow diagrams, and the PDPL gap analysis. Usually before the second call.