Security

Encrypted.
Isolated.
Audited.

Built for organizations that cannot afford a data incident.

Encryption
At rest
AES-256 encryption on all stored data.
In transit
TLS 1.3 for all data in motion.
Data isolation
Tenant isolation
Database-level row isolation on every table. Organizations cannot read each other's data — enforced at the database, not just the application.
Query scoping
Every query is scoped to your organization at the engine level. No query reaches the database without verified org context.
Authentication
Identity
Server-side identity verification on every request.
MFA
TOTP-based second factor. Sensitive operations require step-up authentication even within an active session.
Sessions
30-minute idle timeout with a 2-minute warning before automatic logout.
Access control
RBAC
Role-based access control with fine-grained permissions. Every request evaluated at two independent layers — defense in depth.
Rate limiting
Rate limiting bucketed by organization, user, and IP. Prevents both runaway automation and targeted abuse.
Security headers
Content Security Policy with per-request nonces. CSRF protection on all state-changing requests. No-cache headers on authenticated routes.
AI and your data

Third-party AI can't train on your data.

BeanStack sends customer data to AI providers only to process your individual requests. Every provider we work with is contractually prohibited from training on your data or retaining it after processing.

Audit trail

Every decision. Every override. Logged.

01

Every user action is recorded: what changed, what it changed from, who made the change, when, and from which IP address and session.

02

Every AI decision is logged with a confidence score, the source document it referenced, and the rule it applied — a full provenance chain.

03

Every login, permission change, and data export is a named event in the audit log. We flag sensitive and high-risk events separately.

Responsible disclosure

If you've found a security issue, email security@beanstack.ai. We investigate and respond within 48 hours.

Questions about how
we handle your data?

Reach out directly. We answer every question.

Contact us View privacy policy

AES-256 encryption  ·  TLS 1.3 in transit  ·  GDPR compliant