BRYN byCivic
Trust center

Compliance reads as capability here.

Bryn's wedge is the record. Kill switches, retention controls, and audit exports are product features, not warning labels. This page is written for the people who sign off: your security lead, your data protection officer, your CFO.

Security posture

The summary your security lead asks for first.

S1 Tenancy

Workspace isolation.

Your signals, scores, and Plays live in your workspace.

S2 Access

Least privilege, on the record.

Access to customer workspaces is least-privilege and itself audit-logged, under the access and security provisions of the DPA.

S3 Bounded writes

Bryn writes only where a Play names.

No unbounded API calls, no channels outside the Play definition. The action model is the security model.

Privacy

Scope boundaries, stated plainly.

P1 Scope

Bryn watches what you point it at.

The beacon, telemetry, and CRM scopes are explicit configuration. Nothing outside the configured scope is collected, and the scope itself is visible in the product.

P2 No phone home

Your signal does not train someone else's model.

What Bryn learns from your workspace stays in your workspace. The v0 learning substrate is your own audit log, nothing pooled.

P3 Jurisdiction

US-only at launch, jurisdictional kill switch built in.

Identification can be suspended by region, segment, or Play in one click. The audit log captures the suspend. Bryn waits. You decide when.

P4 Erase

Erase an account's trail on demand.

The erase runs on demand, and the erase itself is logged as an erase. An auditable gap is better than a silent one.

Audit & retention

The record is the product. Retention is under your control.

Every signal, score, decision, and run is time-stamped, source-traced, and replayable. Export the log as CSV or JSON at any time. Erase on demand. Retention windows are configurable per workspace.

AICPA SOC 2 examination seal Type 1Civic Auth
AICPA SOC 2 examination seal Type 2Civic Auth
Civic Hub

Civic Auth holds SOC 2 Type 1. Civic Auth and Civic Hub hold SOC 2 Type 2, each examined by an independent auditor under AICPA criteria for security, availability, and confidentiality. Civic Hub also holds Google CASA Tier 2. Civic's second Type 2 audit period is now underway and includes Bryn by Civic under the same controls and criteria. Reports are available on request, and the controls behind them are summarized at civic.com/security.

Compliance documents

Paper your counsel can hold.

The documents your legal and security teams ask for. Every one is posted on civic.com and links straight through from here.

D1 Privacy

Privacy Policy.

How Civic handles personal data across its products. Read it

D2 CSA

Customer Services Agreement.

Civic's primary terms document, covering every product including Bryn. Read it

D3 Product terms

Customer Product Specific Terms.

The product-specific terms that sit downstream of the CSA. Read it

D4 DPA

Data Processing Agreement.

Processor terms for the signal scope you configure. Read it

D5 Sub-processors

Sub-processor list.

Every downstream processor, by role. Read it

Bring Compliance to the trial.

7-day trial the audit log ships on every tier