Data Use Policy

1. Overview

BrainstormMSP processes customer data to deliver automated security compliance monitoring, reporting, and remediation services for Managed Service Providers (MSPs) and their clients.

This Data Use Policy supplements our Privacy Policy and provides detailed information about our data processing practices.

2. Types of Data We Process

Account Data

• User profile information (name, email, phone number, company)
• Authentication credentials (encrypted passwords, OAuth tokens)
• Billing and payment information
• Subscription plan and feature access details

Purpose: Account management, authentication, billing, and service delivery

Client and Organization Data

• Client names, domains, and organizational details
• User lists and contact information
• Organization structure and relationships
• Custom tags, notes, and metadata

Purpose: Client management, reporting, and multi-tenant organization

Security and Compliance Data

• Security control evaluation results (pass/fail status, scores)
• Backup verification data (backup age, completeness, restore testing)
• Configuration data from integrated platforms (Microsoft 365, Acronis)
• Compliance framework mappings (CIS, NIST, ISO, SOC 2)
• Risk scores and vulnerability assessments
• Evidence and audit artifacts

Purpose: Security monitoring, compliance reporting, risk management, and automated remediation

Integration Data

• PSA integration data (ConnectWise, HaloPSA tickets, companies, contacts)
• OAuth tokens and API credentials (encrypted)
• Sync status and integration health metrics
• Webhook payloads and event data

Purpose: Bi-directional synchronization, automated ticketing, and integration management

Usage and Analytics Data

• Platform usage patterns (features accessed, session duration)
• Performance metrics (page load times, API response times)
• Error logs and diagnostic information
• User actions and interactions

Purpose: Service improvement, troubleshooting, and product development

AI and Machine Learning Data

• Anonymized control evaluation patterns for model training
• Aggregated risk and compliance trends
• Agent performance metrics and optimization data

Purpose: Improving AI agent accuracy, detecting anomalies, and enhancing automation

3. How We Process and Use Data

4. Data Storage and Security

Infrastructure

• Primary database: Supabase (PostgreSQL 15) with row-level security
• Hosting: Digital Ocean App Platform (SOC 2 Type II certified)
• Region: United States data centers
• Backup frequency: Automated daily backups with 30-day retention

Encryption

• In transit: TLS 1.2+ for all data transmission
• At rest: AES-256 encryption for database storage
• Credentials: OAuth tokens and API keys encrypted with separate key management
• Passwords: Bcrypt hashing with salt

Access Controls

• Role-based access control (RBAC) with least-privilege principle
• Multi-factor authentication (MFA) for administrative access
• Audit logging of all data access and modifications
• Regular security audits and penetration testing

5. Data Sharing and Third Parties

We do not sell your data. We share data only with trusted service providers necessary to deliver our services. See our Subprocessors page for a complete list.

Categories of Third Parties

• Infrastructure providers: Digital Ocean, Supabase, Cloudflare
• AI services: Anthropic (Claude Sonnet 4.5 API)
• Communication: SendGrid (transactional emails), Resend (notifications)
• Payment processing: Stripe (credit card processing)
• Analytics: Posthog (product analytics, self-hosted)

6. Data Retention

• Account data: Retained while your account is active
• Security evaluation history: Retained for 2 years for compliance audits
• Audit logs: Retained for 1 year
• Backups: Retained for 30 days
• After account closure: Data deleted or anonymized within 90 days, except as required by law

7. AI and Machine Learning

BrainstormMSP uses AI agents powered by Anthropic's Claude Sonnet 4.5 to automate security evaluations and generate insights.

AI Data Processing

• Control evaluation data is sent to Anthropic's API for analysis
• Anthropic does not train models on your data (per their commercial terms)
• API calls are encrypted in transit (TLS 1.2+)
• No personally identifiable information (PII) is sent to AI services unless necessary for evaluation

Model Training and Improvement

We may use aggregated, anonymized data to improve our AI agent prompts and evaluation logic. Individual customer data is never used for training without explicit consent.

8. Customer Control and Transparency

9. Compliance and Certifications

BrainstormMSP is committed to maintaining compliance with relevant data protection regulations:

• GDPR compliance for European customers
• CCPA compliance for California residents
• SOC 2 Type II certification (in progress)
• Data Processing Agreements (DPAs) available upon request

10. Changes to This Policy

We may update this Data Use Policy from time to time. Material changes will be communicated via email or platform notification. The "Last updated" date at the top reflects the most recent changes.

11. Contact Us

Questions about our data practices?