Security
Compliance
Built for the most sensitive information in law.
Bronson was built to handle the complexity and sensitivity of modern mass tort litigation. From medical records and claimant files to legal work product and case operations, every layer of the platform is designed to protect the information entrusted to it.
Our security program combines technical safeguards, operational controls, and continuous monitoring to help ensure data remains secure, available, and accessible only to authorized users.
SOC 2 Type II
Bronson is actively pursuing SOC 2 Type II certification to validate the effectiveness of our security controls, operational processes, and data management practices.
HIPAA
Bronson is designed to support the secure handling of protected health information, with safeguards aligned to the administrative, technical, and physical requirements of HIPAA.
Security Program
Our security program includes continuous monitoring, access management, audit logging, vulnerability management, and vendor review processes across the organization.
For our current security posture and documentation, request our security documentation.
Data Protection
Protecting your data
Bronson employs multiple layers of protection across the platform, including encryption, access controls, infrastructure security, and continuous monitoring. These safeguards work together to help ensure sensitive information remains protected throughout its lifecycle.
Encryption
All data is encrypted in transit and at rest using industry-standard encryption protocols. Encryption keys are managed through dedicated key management systems with regular rotation.
Access Controls
Role-based permissions, multi-factor authentication, least-privilege access policies, and ongoing access reviews help ensure information is only available to authorized users.
Infrastructure
Bronson runs on modern cloud infrastructure with network isolation, continuous monitoring, automated backups, and regular vulnerability assessments.
Data lifecycle
How your data moves through Bronson.
Every stage of the lifecycle carries its own safeguard — from the moment a record arrives to the day it is deleted. This is the path data takes, and what protects it at each step.
Ingest
Encrypted in transit
Records arrive over encrypted connections — TLS protects every upload and transfer on the wire, so data is never carried in plaintext between systems.
Encrypt
AES at rest, KMS-managed keys
Once received, data is encrypted at rest with AES-256. The keys live in a dedicated key-management service, held separately from the data they protect and rotated on a regular schedule.
Extract
Isolated processing
Extraction runs inside private, network-isolated environments with no public ingress. The compute that reads sensitive records is segmented from the open internet.
Store (graph)
Audit-logged storage
Structured records and the knowledge graph are persisted in access-controlled stores, and every read and write is recorded in an audit log that can be reviewed after the fact.
Access
Least-privilege RBAC + MFA
People reach data through role-based, least-privilege permissions enforced with multi-factor authentication — each person sees only what their work on a matter requires, and access is reviewed over time.
Retain / Delete
Defined retention
Data is kept only as long as the engagement and the law require. Defined retention windows govern how long records live, and information is deleted or returned at the end of the relationship.
Data at rest
Sealed, keyed, and isolated.
At rest, the corpus and the knowledge graph are encrypted with AES-256, behind keys managed and rotated in a dedicated key-management service, inside private networks with no public ingress. The most sensitive information in law is held the way it should be.
Protected health information
Handling protected health information.
Mass tort work runs on medical records, so protected health information sits at the center of the platform. Bronson treats PHI as a distinct class of data: handled in line with HIPAA, confined to the people and systems that genuinely need it, and never carried into places it does not belong.
Administrative, technical, and physical safeguards
PHI is handled under safeguards aligned to HIPAA's three pillars: administrative — policies, workforce training, and access governance; technical — encryption, access control, and audit logging; and physical — controls over the facilities and devices that touch data.
Minimum-necessary access
Access to PHI follows the minimum-necessary principle. People and services are granted only the information needed for the work in front of them, and access is reviewed rather than left standing.
Business Associate Agreements
Where Bronson handles PHI on behalf of a covered entity or another business associate, it operates under a Business Associate Agreement that sets out each party's obligations for protecting that information.
PHI segregated from analytics
Protected health information is kept separate from product analytics and marketing systems. Operational telemetry is designed to run on de-identified or non-PHI data, so sensitive records are never repurposed for measurement.
Hosting & sub-processors
Where Bronson runs.
Bronson runs on modern cloud infrastructure: isolated networks, automated backups, and continuous monitoring. A small, vetted set of sub-processors supports the platform — the authoritative, current list is available on request.
Modern cloud infrastructure
Bronson runs on established cloud providers, using hardened, managed baseline services rather than self-administered hardware.
Isolated networks
Production runs in private networks with controlled ingress, and environments are segmented so workloads cannot reach across boundaries.
Automated backups
Data is backed up automatically, and recovery is exercised as part of operations so the backups are known to restore.
Continuous monitoring
Infrastructure, access, and activity are monitored continuously, with alerting on anomalous behavior.
Sub-processor register
Placeholder — pending confirmation
| Sub-processor | Purpose | Region |
|---|---|---|
‹VERIFY› | Cloud infrastructure & hosting | ‹VERIFY› |
‹VERIFY› | Backup & storage | ‹VERIFY› |
‹VERIFY› | Monitoring, logging & alerting | ‹VERIFY› |
The authoritative, current sub-processor register and security posture are available on request — request our security documentation.
FAQ
Security questions, answered.
Where is our data stored?
Who can access our data?
How is protected health information handled?
How is data encrypted?
What certifications do you hold?
How do we report a vulnerability?
Report a vulnerability.
We welcome responsible disclosure from security researchers and members of the security community. If you discover a potential vulnerability, please contact data@brnsn.xyz with a description of the issue, steps to reproduce it, and any supporting information.
We review every report, acknowledge submissions promptly, and work to investigate and remediate confirmed issues as quickly as possible.