Security

Overview

Security is foundational to Berlay. Every architectural decision — from authentication to data storage — is made with your customers' data in mind. This page describes how we protect it.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256-GCM with per-organisation encryption keys. Each organisation's key is itself encrypted with a master key (envelope encryption), meaning a compromise of one organisation's data does not affect others.

Authentication

Berlay uses magic link authentication exclusively — no passwords are ever stored. Links are single-use, expire after 15 minutes, and are bound to the requesting IP address. There are no password databases to breach.

Infrastructure

Our application runs in Docker containers on dedicated infrastructure. The database operates on an internal-only network with no public exposure. Rate limiting and automated IP blocking (via fail2ban) are applied to all endpoints. TLS certificates are issued by Let's Encrypt and renewed automatically.

Access Controls

Each workspace has strict role-based access control (owner, admin, agent). Workspace data is isolated at the encryption layer — agents in one workspace cannot access data from another, even if they share a billing account.

Subprocessors

We use a small number of trusted subprocessors to deliver the service, including Stripe for payment processing and Resend for transactional email. We maintain data processing agreements with all subprocessors.

Incident Response

In the event of a security incident affecting your data, we will notify affected customers within 72 hours of becoming aware, as required by applicable law. We maintain an internal incident response process and conduct post-incident reviews.

Responsible Disclosure

If you discover a security vulnerability in Berlay, please report it to hi@berlay.io with a description of the issue and steps to reproduce. We ask that you give us a reasonable time to investigate and remediate before public disclosure. We do not currently offer a paid bug bounty programme but we will acknowledge responsible reporters publicly if they wish.

Questions

If you have security-related questions or concerns, contact us at hi@berlay.io.