We treat your client data like it's our own.
BriefHQ is built for agencies that handle confidential client information every day — pitches, brand strategy, internal numbers. Here's exactly how we keep it safe.
How we protect your data
EU-hosted by default
All BriefHQ data — briefs, accounts, files — is stored on infrastructure based in the European Union. We do not move customer data outside the EU without explicit consent.
Encrypted in transit & at rest
Every connection uses TLS 1.2+. All databases, backups, and file storage are encrypted at rest with AES-256 keys managed by our cloud provider.
Row-level isolation
Every project, brief, and file is scoped to your agency at the database layer with Postgres row-level security. Your data is never queryable from another agency's account.
Least-privilege auth
Roles are owner / admin / member. Long-lived API keys live only on the server. Client-facing keys are publishable-only and cannot read other agencies' data.
Backups & recovery
Point-in-time backups run continuously with 7-day recovery on all plans, extended for Team. Database changes are versioned and reviewed.
GDPR-aligned
We are GDPR-compliant by design — data minimisation, lawful basis for every processor, and a documented sub-processor list. DPA available on request for Pro & Team.
Operational practices
- Mandatory 2FA for all team members of NovaPath Studios with access to production
- All third-party integrations vetted, with a documented sub-processor list
- Secrets stored in a managed vault — never in source code
- Production access is audit-logged
- Dependency vulnerabilities scanned on every deploy
- No customer data is used to train any AI model — your briefs stay yours
Your control
You own your data. Export any brief as PDF or DOCX at any time. Delete your account from settings and we permanently remove your data within 30 days, except where retention is required by law.
Found a vulnerability?
We take responsible disclosure seriously. Email hello@briefhq.net and we'll respond within one business day.