Privacy Policy

1. Information We Collect

Account Information. When you create a BrickGRC account, we collect your name, email address, organization name, and role. If you register or sign in via OAuth/SSO (such as Google or Microsoft), we also receive your provider user ID and, where available, your profile picture URL. If you join via invitation, we process the invitation token and the inviting organization's details.

Compliance Data. As you use the platform, we store the compliance data you create: engagements, control assessments, maturity scores, milestone progress, work item responses, report configurations, and marketplace listings. We also store documents you upload as evidence (policies, audit reports, certificates, and other files).

Employee Directory Data. If your organization configures an employee directory integration (such as Azure AD, Google Workspace, Okta, JumpCloud, BambooHR, Workday, Rippling, or a SCIM provider), we sync and store employee records including names, email addresses, phone numbers, departments, job titles, and organizational hierarchy data. This data may include individuals who are not direct users of BrickGRC. See Section 12 for details.

Technical & Audit Log Data. We automatically collect technical data including IP address, browser type and version, user agent string, operating system, device type, pages visited within the application, feature usage patterns, and timestamps of your interactions. We maintain audit logs that record user actions within the platform (such as logins, data modifications, and configuration changes) along with the associated IP address and user agent. API key metadata (creation date, last-used timestamp, and associated scopes) is also logged.

2. How We Use Your Information

We use your information to operate the BrickGRC platform: authenticating your identity, enforcing role-based access controls (RBAC) within your organization (Admin, Auditor, Editor, Viewer), processing compliance workflows, generating maturity reports, managing marketplace operations, delivering webhook and in-app notifications, processing sales inquiries, and maintaining audit logs for security and compliance purposes.

When you use AI-powered features — such as document intelligence, evidence auto-linking, maturity scoring, or the AI assistant — relevant portions of your compliance data and uploaded documents are processed by AI providers as described in Sections 3 through 5 below.

We do not sell, rent, or share your personal information with third parties for advertising or marketing purposes. We do not serve ads within the platform.

3. AI Processing & Third-Party AI Providers

BrickGRC uses artificial intelligence to power several core features: Document Intelligence — analyzing uploaded documents for compliance relevance and extracting structured information; Evidence Auto-Linking — automatically matching documents to applicable controls and requirements; Maturity Scoring — evaluating organizational maturity against framework rubric requirements using AI analysis; and the AI Assistant — providing guided compliance assistance and answering questions about your compliance posture.

As part of these operations, BrickGRC generates and stores vector embeddings of your document content for similarity search and evidence matching. The default embedding provider is Google Gemini. If Google's embedding API is unavailable, the platform falls back to Anthropic's API for embedding generation. Embeddings are stored persistently and associated with your organization's data.

You may configure your own AI provider through the platform's "Bricks" system by connecting an API key from OpenAI, Anthropic, Google Gemini, Cohere, or Mistral. When you do, AI requests for chat and analysis operations are sent to that provider under your own API agreement, and their respective privacy policies and data handling terms apply.

If you do not configure an AI provider, or if your configured provider is unavailable, the platform uses its default AI engine as described in Section 4.

4. Default AI Engine — Google Gemini

When no user-configured AI integration is active, BrickGRC processes AI requests using Google's Gemini API (currently the gemini-2.5-flash model) under BrickGRC's own API key.

Google processes data submitted through the Gemini API in accordance with Google's API Terms of Service and Google's Generative AI Additional Terms of Service. For paid API usage, Google states that it does not use customer API data to train its foundation models. However, Google may temporarily log API requests for abuse monitoring, safety enforcement, debugging, and service reliability purposes, and such logs may be retained for a limited period as described in Google's terms.

BrickGRC does not control Google's internal data handling beyond what is specified in their API terms. If you require stricter controls over how your data is processed by AI — for example, to satisfy specific regulatory requirements or internal data governance policies — you should configure your own AI provider with a provider whose terms meet your needs.

BrickGRC reserves the right to change the default AI engine provider at any time. We will update this Privacy Policy to reflect any such change and notify users through the platform.

5. Data Sent to AI Providers

When AI features are invoked, we send the data necessary for the specific operation. Depending on the feature, this may include: full text content extracted from uploaded documents, compliance control names and descriptions, item field data and work item responses, maturity rubric text and scoring criteria, engagement context (framework type, milestone names), and the user's prompt or question when using the AI assistant. For document intelligence and evidence auto-linking, the full document content may be transmitted rather than excerpts alone.

We do not send your account passwords, API keys, billing information, or personal identifiers beyond what may naturally appear within your uploaded compliance documents or employee directory data.

AI responses (generated scores, recommendations, document analysis results, assistant messages) are stored within the platform to populate features and maintain conversation history. AI interaction logs — including prompts and responses — are retained as described in Section 9.

6. Data Isolation & Security

Each organization's data is stored in a logically isolated tenant environment at the application layer, using shared database infrastructure with strict per-organization query scoping. Your compliance data, documents, configurations, and AI integration credentials are never accessible to other organizations on the platform.

We implement the following security measures: TLS 1.2 or higher for all data in transit; encryption at rest for stored data and documents; AES-256-GCM encryption for stored integration credentials and API keys; hashed and salted password storage (bcrypt); role-based access controls (Admin, Auditor, Editor, Viewer); and regular security reviews.

If you configure an external storage backend (such as AWS S3, Azure Blob Storage, Google Drive, Dropbox, SharePoint, or Nextcloud), documents stored through that integration are subject to that provider's own encryption and security policies. BrickGRC does not control the encryption settings of user-configured storage backends.

7. Third-Party Sub-Processors

BrickGRC uses the following core sub-processors to deliver the Service (always active):

Hetzner Online GmbH (Germany/EU) — Application hosting and database infrastructure. Cloudflare, Inc. (US, with global edge network and EU presence) — CDN, DDoS protection, DNS, R2 object storage for documents, and email routing. Resend, Inc. (US) — Transactional email delivery (account notifications, sales inquiries). Google LLC (US) — Default AI engine (Gemini API) and default embedding provider. Stripe, Inc. (US) — Payment processing and subscription management. Grafana Labs (US) — Operational telemetry, monitoring, and alerting (infrastructure metrics only, not customer content).

User-configured integrations. When you configure an integration through the platform, that provider becomes a sub-processor for your organization's data. You are responsible for reviewing that provider's data processing terms. User-configurable integrations include:

AI Providers: OpenAI, Anthropic, Google Gemini (under your own key), Cohere, Mistral. Document Storage: SharePoint, Nextcloud, AWS S3, Azure Blob Storage, Google Drive, Dropbox. Notifications: Slack, Microsoft Teams, custom SMTP servers. Project Management: Jira, Azure DevOps. Calendars: Google Calendar, Outlook Calendar. Employee Directory: Azure AD, Google Workspace, Okta, JumpCloud, BambooHR, Workday, Rippling, SCIM-compatible providers.

8. Cookies & Tracking

We use strictly essential cookies and tokens for authentication and operation. The BrickGRC application uses JWT (JSON Web Token) session tokens stored in your browser for authentication. We also store user preferences (language selection, theme) locally.

The BrickGRC landing page (brickgrc.com) loads Google Fonts, which may set cookies or log requests per Google's privacy policy. Cloudflare may set cookies for bot detection and security purposes on all BrickGRC domains.

We do not use third-party advertising cookies, social media tracking pixels, or behavioral analytics platforms. We do not fingerprint devices or track users across other websites.

9. Data Retention

Account and compliance data. We retain your data for as long as your account is active. Upon account or organization deletion, you have 30 days to export your data. After this period, all your data — including compliance records, uploaded documents, and configuration — is permanently deleted from our production systems within 90 days, including backups.

AI interaction logs. BrickGRC stores AI prompts, responses, and interaction metadata (including timestamps, token usage, and the AI provider used) in an internal interaction log. These logs are retained to provide conversation history within the AI assistant, support troubleshooting, and improve the Service. AI interaction logs are deleted when your organization's account is deleted, following the same timeline described above.

Audit logs. User action audit logs (including IP addresses, user agent strings, and action descriptions) are retained for up to 2 years for security compliance and incident investigation purposes. Audit logs may be retained beyond account deletion where required for legal or regulatory obligations.

Cached AI responses. Cached AI responses used for performance optimization are automatically purged on a rolling basis and are not retained beyond the cache expiration period.

10. Your Rights

Depending on your jurisdiction (including under the GDPR, UK GDPR, and similar data protection laws), you may have the right to: access the personal data we hold about you; rectify inaccurate or incomplete data; erase your personal data ("right to be forgotten"); receive your data in a portable, machine-readable format; restrict or object to certain processing activities; withdraw consent where processing is based on consent; and lodge a complaint with a supervisory authority.

You can export your compliance data and documents at any time through the platform's export features, including PDF report generation and in-app data export functionality. To exercise any other rights, or to request deletion of your account, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law).

11. International Data Transfers

BrickGRC's primary infrastructure is hosted in the European Union (Hetzner, Germany). Cloudflare operates a global edge network and may process requests at edge locations worldwide, including in the United States. US-based AI providers (Google, OpenAI, Anthropic, Cohere) process data in the United States and other jurisdictions where they maintain infrastructure. Resend, Stripe, and Grafana Labs are US-based processors.

When your data is transferred outside the EU/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework, or the sub-processor's participation in other recognized data transfer mechanisms. If you configure user-managed integrations, data may be transferred to the jurisdictions where those providers operate.

12. Employee Directory Data

When your organization configures an employee directory integration, BrickGRC syncs and stores employee information including names, email addresses, phone numbers, departments, and job titles. This data is used within the platform for compliance role assignment, task delegation, and organizational reporting.

Employee directory data may include individuals who are not registered BrickGRC users and who have not directly consented to BrickGRC's processing. The legal basis for processing this data is the legitimate interest of your organization in managing its compliance program effectively. Your organization, as the data controller, is responsible for ensuring it has the lawful right to sync this employee data to BrickGRC, including providing any required notices to affected employees under applicable data protection law.

Employee directory data is subject to the same data isolation, security, and retention policies described in this Privacy Policy. It is deleted when the integration is removed or the organization's account is deleted.

13. Children's Privacy

BrickGRC is a business-to-business compliance platform. The Service is not directed at individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

14. Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, BrickGRC will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR.

Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay. Breach notifications will include: a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

We will also notify affected customer organizations promptly so they can fulfill their own regulatory notification obligations.

15. Data Processing Agreement

A Data Processing Agreement (DPA) compliant with GDPR Article 28 is available upon request for customers who require one. To request a DPA, contact us at [email protected].

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, sub-processors, or applicable law. We will notify you of material changes via email or through a prominent notice in the platform at least 30 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at [email protected].