Security and Trust Whitepaper

Executive Summary

BrainCX operates a patent-pending voice-first conversational AI platform serving healthcare, behavioral health, higher education, financial services, insurance, and travel. These are high-trust industries where customer conversations carry sensitive personal, clinical, financial, and educational information. We designed BrainCX from the ground up to handle that responsibility.

This whitepaper outlines the controls, processes, and certifications that protect customer data and systems on the BrainCX platform. It covers our compliance posture, encryption practices, infrastructure security, access controls, secure development lifecycle, incident response program, and the privacy and AI-specific protections we apply to voice and chat interactions.

BrainCX was built by operators who ran contact centers, not by engineers building software for them. That perspective shapes our security program: every control is designed to fit real production workloads in regulated industries, not theoretical scenarios.

1. Company and Platform Overview

BrainCX, Inc. is a South Florida based company that recovers revenue lost to voice and conversation friction in high-trust industries. The platform consolidates four agent types (voice AI, chat AI, web-embedded voice and chat, and avatar AI) into a single managed environment.

Platform differentiators relevant to security

• Agent cloning via call ingestion. Clones the voice, tone, empathy, and objection handling of a client’s best human agents using the science of human communication. Source recordings remain segregated to the originating tenant and never train shared models.
• Interactive web co-browsing. Surfaces pricing, images, and forms in real time while the AI talks. Co-browsing sessions run inside the customer’s tenant boundary and inherit the same access controls as the parent conversation.
• Single platform, four agent types. One control plane, one identity model, one audit trail across voice, chat, embedded, and avatar interactions. Security policies are applied uniformly regardless of agent type.

Product lines covered by this whitepaper

2. Compliance and Certifications

BrainCX aligns its security program to recognized frameworks and provides contractual commitments appropriate to each regulated industry we serve.

Current posture

Roadmap

Following completion of SOC 2 Type II, BrainCX intends to pursue ISO 27001 certification and HITRUST CSF certification to support enterprise healthcare clients. Target completion dates are shared under mutual NDA during procurement.

3. Data Protection and Encryption

Encryption in transit

• All client-facing endpoints enforce TLS 1.2 or higher. TLS 1.3 is preferred where the client supports it.
• Voice media streams use SRTP or DTLS-SRTP depending on the carrier integration. Real-time transcription pipelines run inside the encrypted session.
• Internal service-to-service traffic uses mutual TLS (mTLS) with short-lived certificates rotated automatically.
• Public-key pinning and HSTS are enforced on the BrainCX web properties and tenant portals.

Encryption at rest

• All persistent storage volumes, object stores, and database backups are encrypted using AES-256.
• Encryption keys are managed through the cloud provider’s Key Management Service with envelope encryption and customer-specific data encryption keys.
• Customer-managed keys (BYOK) are available for BrainCX Enterprise clients with regulatory key-control requirements.
• Key rotation occurs at least annually for master keys and continuously for data encryption keys.

Data classification and handling

4. Infrastructure Security

Hosting and physical security

BrainCX runs on tier-1 cloud infrastructure providers that maintain ISO 27001, SOC 1, SOC 2, SOC 3, PCI-DSS, and HIPAA attestations for the underlying physical and platform layers. Production workloads run in US data center regions by default. EU and other regional deployments are available on the Enterprise tier to meet data residency requirements.

Network architecture

• Production environments run inside dedicated virtual private clouds with no public ingress to internal services.
• Public-facing endpoints sit behind a managed web application firewall (WAF) with rules tuned to OWASP Top 10 and voice-specific abuse patterns.
• DDoS protection is provided at the edge with both volumetric and application-layer mitigation.
• Internal network segmentation isolates production from staging, development, and corporate environments. No flat networks.
• All administrative access to production runs through a bastion with session recording, MFA, and time-bound credentials.

Tenant isolation

Customer data is logically isolated at every layer (database row level, object storage prefix, message queue topic, and model artifact). Enterprise customers can elect physically isolated infrastructure where regulatory or contractual requirements demand it. Cross-tenant access is blocked at the application layer and verified by automated tests in every deployment.

Vulnerability management

• Continuous vulnerability scanning of containers, hosts, and dependencies.
• Software Composition Analysis (SCA) on every build to catch known CVEs in open source.
• Static Application Security Testing (SAST) and secrets scanning on every pull request.
• Annual third-party penetration test of the platform. Executive summary available under NDA.
• Critical vulnerabilities are remediated within 7 days, high within 30 days, medium within 60 days, and low within 90 days.

5. Access Control and Identity

Principle of least privilege

Every BrainCX employee, contractor, and service account is granted only the minimum access required to perform their role. Access reviews run quarterly with the asset owner. Privileged production access is granted just in time, requires ticketed justification, and is automatically revoked.

Authentication

• Multi-factor authentication is enforced for all BrainCX personnel across all systems holding customer data.
• Single sign-on (SSO) via SAML 2.0 and OIDC is available on Enterprise plans. Customer administrators can require SSO for all of their users.
• Customer end-user authentication can be federated to the client’s identity provider so that agent and supervisor accounts inherit the client’s password and MFA policies.
• Service accounts use short-lived credentials issued by the cloud provider’s identity service. Static long-lived secrets are not used for production access.

Authorization

• Role-based access control (RBAC) governs application and infrastructure permissions.
• Granular roles separate platform administrators, tenant administrators, supervisors, agents, and read-only auditors.
• All authorization decisions are evaluated server-side. No security-relevant logic is enforced only in the client.

Audit logging

BrainCX produces immutable audit logs for authentication events, configuration changes, data access, and administrative actions. Logs are written to append-only storage, retained for at least 12 months, and exported to customer SIEM platforms on request.

6. Secure Software Development

BrainCX engineering practices are designed to surface security issues early and prevent regressions. Every change follows the same pipeline regardless of urgency.

Development practices

• Mandatory peer review on every code change. No direct commits to production branches.
• Branch protection rules enforce status checks, signed commits, and review approvals.
• Security-relevant changes require sign-off from the security review pool.
• Threat modeling sessions for new services and material architectural changes.
• Secure coding training for all engineers on hire and annually thereafter.

Build and deploy

• Automated CI/CD pipeline runs unit tests, integration tests, SAST, dependency scanning, container scanning, and secrets detection.
• Reproducible builds with signed artifacts. Production deploys verify signatures before execution.
• Infrastructure as code (Terraform) with peer review. No manual production console changes.
• Separate environments for development, staging, and production with no shared credentials.
• Blue-green and canary deployments with automatic rollback on error budget breaches.

Dependency and supply chain hygiene

BrainCX maintains a Software Bill of Materials (SBOM) for every production service. Dependencies are pinned to known good versions. Automated tooling alerts on newly disclosed vulnerabilities affecting any direct or transitive dependency. Critical patches reach production within established remediation windows.

7. AI and Conversation Data

Voice and chat data is the lifeblood of the BrainCX platform, and the area where customers (and their auditors) ask the hardest questions. This section addresses how we handle conversation data, model training, and AI-specific risks.

Conversation data ownership

Customers own their conversation data. BrainCX is a processor acting on customer instructions. We do not sell, share, or commercialize customer conversations. Data Processing Agreements (DPAs) are executed before processing begins.

Model training and tenant isolation

• Customer conversations are not used to train foundational models without explicit, written, revocable consent.
• Agent clones are trained on a single customer’s calls and remain isolated to that customer’s tenant. There is no cross-pollination between tenants.
• Where a customer opts in to contribute to shared model improvements, contributions are de-identified, PII-redacted, and reviewed before incorporation.
• Customers can request deletion of training data and resulting model artifacts at any time, with documented confirmation of removal.

PII and PHI redaction

Live conversation pipelines include automated redaction for common categories of sensitive data, including names, account numbers, social security numbers, payment card numbers, dates of birth, and medical identifiers. Redaction occurs prior to logging, prior to storage in transcript archives, and prior to any downstream analytics. Customers configure the redaction policy that matches their regulatory environment.

Voice cloning consent

BrainCX requires documented consent from each agent whose voice is cloned. Cloned voices are bound to the originating customer’s tenant and cannot be exported or used outside the platform. Customers revoke a clone at any time through the administrative console, and the underlying voice artifacts are purged within established SLAs.

AI safety controls

• Content filters block the generation of harmful, biased, or out-of-policy responses.
• Hallucination mitigation through retrieval grounding, source citation, and confidence thresholds.
• Human-in-the-loop fallback for low-confidence or high-stakes conversations. Customers set the threshold.
• Real-time monitoring for prompt injection, jailbreaks, and adversarial inputs.
• Conversation transcripts are retained for QA review subject to customer-defined retention policies.

8. Incident Response and Resilience

Incident response program

BrainCX maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. The plan is tested at least annually through tabletop exercises and is updated based on lessons learned.

Detection and monitoring

• 24/7 alerting on security events from infrastructure, applications, and identity providers.
• Centralized log aggregation with anomaly detection on authentication, privileged access, and data exfiltration patterns.
• Endpoint detection and response (EDR) on all employee devices with central visibility.

Customer notification

BrainCX notifies affected customers of confirmed security incidents involving their data without undue delay, in accordance with contractual obligations and applicable law. For incidents involving PHI, notification follows the timelines required by the HIPAA Breach Notification Rule and the terms of the executed BAA.

Business continuity and disaster recovery

9. Vendor and Personnel Security

Vendor risk management

BrainCX maintains an inventory of subprocessors and third-party services that have access to customer data. Each vendor undergoes a security review prior to engagement and is re-assessed annually. The current subprocessor list is published and customers are notified of material changes in accordance with the DPA.

Personnel security

• Background checks for all employees and contractors with access to customer data, subject to local law.
• Mandatory security and privacy awareness training on hire and annually thereafter.
• Role-specific training for engineering, support, and customer success staff who interact with customer data.
• Written confidentiality agreements with every employee and contractor.
• Documented access revocation procedures triggered on termination or role change. SLA for revocation is 24 hours, with critical systems revoked the same day.

Acceptable use and device security

• Company-managed devices with disk encryption, automatic patching, screen lock policies, and EDR.
• Personal devices are prohibited from accessing customer regulated data.
• Removable media use is blocked by policy and technical controls.

10. Privacy and Data Subject Rights

BrainCX honors the rights of individuals whose data we process on behalf of customers. Where the customer is the controller, BrainCX assists with the fulfillment of the following rights within the timelines required by applicable law:

• Right to access personal data held about them.
• Right to rectification of inaccurate data.
• Right to erasure (also known as the right to be forgotten).
• Right to restrict or object to processing.
• Right to data portability in a structured, commonly used, machine-readable format.
• Right to withdraw consent where processing is based on consent.

Data retention

Conversation transcripts, call recordings, and derived analytics are retained according to the customer-configured retention policy. Defaults align to industry norms (90 days for general workloads, longer for regulated workloads where legally required). Upon contract termination, customer data is exported on request and deleted from production systems within 30 days, with backup purges following the standard backup rotation cycle.

International transfers

Where customer data is transferred across borders, BrainCX relies on Standard Contractual Clauses (SCCs), supplementary measures, and (where applicable) approved transfer mechanisms such as the EU-US Data Privacy Framework. Regional residency is available for Enterprise customers with localization requirements.

11. Security Governance

Security is owned at the executive level and operationalized through a cross-functional security program. Roles are defined, documented, and reviewed annually.

Program ownership

Policies

BrainCX maintains a documented set of information security policies covering acceptable use, access control, asset management, change management, cryptography, data classification, incident response, risk management, supplier management, and business continuity. Policies are reviewed at least annually and after material changes to the business or threat landscape.

Risk management

An enterprise risk register is maintained and reviewed quarterly. Risks are assessed for likelihood and impact, assigned an owner, and tracked to mitigation or accepted treatment. Material risks are escalated to executive leadership.

12. Customer Requests and Contact

How to request security documentation

Prospects and customers can request additional documentation through their BrainCX point of contact or through the procurement channel. Materials available under NDA include:

• SOC 2 Type I report (available now). SOC 2 Type II report (available upon completion).
• Penetration test executive summary.
• Business Associate Agreement template.
• Data Processing Agreement and Standard Contractual Clauses.
• Subprocessor list with notification mechanism.
• Architecture diagrams and tenant isolation overview.
• Completed security questionnaires (SIG, CAIQ, HECVAT for higher education).

Reporting a security concern

BrainCX welcomes responsible disclosure from researchers, customers, and the public. Suspected vulnerabilities, security incidents, or privacy concerns should be reported to the security team using the contact information below. We acknowledge reports within one business day and provide updates through resolution.

Document control

Version 1.0. Published May 2026. Owner: Compliance. Reviewed annually or upon material change to the security program. This document is provided for informational purposes and does not modify any executed agreement between BrainCX and a customer.