Skip to main content

Data Security

Brikly takes the security of your data seriously. As a B2B platform handling sensitive business information - supplier details, pricing, and financial data - we apply industry-standard protections at every level.

Data encryption

In transit

All data transmitted between your browser and Brikly's servers is encrypted using TLS 1.2+ (Transport Layer Security). This applies to:

  • Web application traffic.
  • API requests.
  • File uploads (invoices, images).
  • Chrome extension communications.

At rest

Data stored in Brikly's databases and file storage is encrypted at rest using AES-256 encryption. This includes:

  • Invoice files (PDFs and images).
  • Extracted invoice data.
  • Recipes, ingredients, and costings.
  • User account information.

Multi-tenant isolation

Brikly is a multi-tenant platform, meaning multiple businesses share the same infrastructure. However, strict isolation ensures that:

  • Each workspace's data is completely separate. There is no way for one workspace to access another's data.
  • Database-level controls enforce isolation. Every query is scoped to the authenticated user's workspace.
  • File storage is segmented so that uploaded invoices and documents are accessible only within the workspace that owns them.
  • API authentication verifies both the user's identity and their workspace membership on every request.
info

Multi-tenant isolation is enforced at the application and database level. Even in the unlikely event of a software bug, architectural safeguards prevent data leaking between workspaces.

GDPR compliance

Brikly is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What personal data Brikly holds

Brikly primarily handles business data (recipes, ingredients, invoices), but it also stores limited personal data:

  • User accounts - name, email address, role.
  • Activity logs - who made changes and when.
  • Authentication data - securely hashed passwords, session tokens.

Your rights

As a Brikly user, you have the right to:

  • Access your personal data - request a copy of the data we hold about you.
  • Rectification - correct any inaccurate personal data.
  • Erasure - request deletion of your account and associated personal data.
  • Portability - receive your data in a structured, machine-readable format.

To exercise any of these rights, contact us at support@brik.ly.

Data processing

Brikly processes your data for the purpose of providing the service you have subscribed to. We do not sell your data to third parties. Invoice data processed by our AI engine is used solely to provide extraction and matching services for your workspace.

Data retention

Data typeRetention period
Active account dataRetained while your subscription is active
Invoices and documentsRetained while your subscription is active
Deleted items (soft delete)Recoverable for 30 days, then permanently removed
Cancelled account dataRetained for 90 days after cancellation, then permanently deleted
Activity logsRetained for 12 months
tip

If you need to retain invoice data for longer than your subscription period (e.g. for tax records), export your data before cancelling. Brikly provides export tools in Settings > Data Export.

Where data is stored

Brikly's infrastructure is hosted in the United Kingdom and the European Economic Area (EEA). All primary data storage is within these regions.

  • Application servers - UK/EEA cloud infrastructure.
  • Database - UK/EEA, with automated encrypted backups.
  • File storage - UK/EEA, with redundancy across multiple availability zones.

No data is transferred outside the UK/EEA unless explicitly required by an integration you have configured (e.g. a third-party service with servers elsewhere). In such cases, appropriate safeguards (such as Standard Contractual Clauses) are in place.

Security practices

Beyond encryption and isolation, Brikly follows these security practices:

  • Regular security audits - periodic reviews of infrastructure and application code.
  • Dependency monitoring - automated scanning for known vulnerabilities in third-party libraries.
  • Access controls - internal access to production systems is restricted to authorised personnel with multi-factor authentication.
  • Incident response - a documented process for identifying, containing, and resolving security incidents.
caution

Brikly secures data on our side, but account security also depends on you. Use a strong, unique password for your Brikly account and do not share your login credentials with others. Use the roles system to give team members their own accounts.

Questions?

If you have questions about data security, privacy, or compliance, contact us at support@brik.ly. We are happy to provide additional detail or documentation as needed.