Compliance reads as capability here.
Bryn's wedge is the record. Kill switches, retention controls, and audit exports are product features, not warning labels. This page is written for the people who sign off: your security lead, your data protection officer, your CFO.
The summary your security lead asks for first.
Workspace isolation.
Your signals, scores, and Plays live in your workspace.
Least privilege, on the record.
Access to customer workspaces is least-privilege and itself audit-logged, under the access and security provisions of the DPA.
Bryn writes only where a Play names.
No unbounded API calls, no channels outside the Play definition. The action model is the security model.
Scope boundaries, stated plainly.
Bryn watches what you point it at.
The beacon, telemetry, and CRM scopes are explicit configuration. Nothing outside the configured scope is collected, and the scope itself is visible in the product.
Your signal does not train someone else's model.
What Bryn learns from your workspace stays in your workspace. The v0 learning substrate is your own audit log, nothing pooled.
US-only at launch, jurisdictional kill switch built in.
Identification can be suspended by region, segment, or Play in one click. The audit log captures the suspend. Bryn waits. You decide when.
Erase an account's trail on demand.
The erase runs on demand, and the erase itself is logged as an erase. An auditable gap is better than a silent one.
The record is the product. Retention is under your control.
Every signal, score, decision, and run is time-stamped, source-traced, and replayable. Export the log as CSV or JSON at any time. Erase on demand. Retention windows are configurable per workspace.
Civic Hub
Civic Auth holds SOC 2 Type 1. Civic Auth and Civic Hub hold SOC 2 Type 2, each examined by an independent auditor under AICPA criteria for security, availability, and confidentiality. Civic Hub also holds Google CASA Tier 2. Civic's second Type 2 audit period is now underway and includes Bryn by Civic under the same controls and criteria. Reports are available on request, and the controls behind them are summarized at civic.com/security.
Paper your counsel can hold.
The documents your legal and security teams ask for. Every one is posted on civic.com and links straight through from here.