Data Use Policy

BrainstormMSP processes customer data to deliver automated security compliance monitoring, reporting, and remediation services for Managed Service Providers (MSPs) and their clients.

This Data Use Policy supplements our Privacy Policy (/privacy) and provides detailed information about our data processing practices.

Account Data: User profile information (name, email, phone number, company), authentication credentials (encrypted passwords, OAuth tokens), billing and payment information, and subscription plan and feature access details. Purpose: Account management, authentication, billing, and service delivery.

Client and Organization Data: Client names, domains, and organizational details, user lists and contact information, organization structure and relationships, and custom tags, notes, and metadata. Purpose: Client management, reporting, and multi-tenant organization.

Security and Compliance Data: Security control evaluation results (pass/fail status, scores), backup verification data (backup age, completeness, restore testing), configuration data from integrated platforms (Microsoft 365, Acronis), compliance framework mappings (CIS, NIST, ISO, SOC 2), risk scores and vulnerability assessments, and evidence and audit artifacts. Purpose: Security monitoring, compliance reporting, risk management, and automated remediation.

Integration Data: PSA integration data (ConnectWise, HaloPSA tickets, companies, contacts), OAuth tokens and API credentials (encrypted), sync status and integration health metrics, and webhook payloads and event data. Purpose: Bi-directional synchronization, automated ticketing, and integration management.

Usage and Analytics Data: Platform usage patterns (features accessed, session duration), performance metrics (page load times, API response times), error logs and diagnostic information, and user actions and interactions. Purpose: Service improvement, troubleshooting, and product development.

AI and Machine Learning Data: Anonymized control evaluation patterns for model training, aggregated risk and compliance trends, and agent performance metrics and optimization data. Purpose: Improving AI agent accuracy, detecting anomalies, and enhancing automation.

Service Delivery: Evaluate security controls, generate compliance reports, create automated tickets, and sync with PSA platforms.

Monitoring and Alerts: Real-time security monitoring, automated daily scans, alert notifications, and anomaly detection.

Analytics and Insights: Risk scoring and trends, compliance dashboards, executive reporting, and benchmarking data.

Platform Operations: Account management, support and troubleshooting, service optimization, and security incident response.

Infrastructure: Primary database is DigitalOcean PostgreSQL with row-level security. Hosting on Digital Ocean App Platform (SOC 2 Type II certified). Region: United States data centers. Backup frequency: Automated daily backups with 30-day retention.

Encryption: In transit via TLS 1.2+ for all data transmission. At rest via AES-256 encryption for database storage. Credentials: OAuth tokens and API keys encrypted with separate key management. Passwords: Bcrypt hashing with salt.

Access Controls: Role-based access control (RBAC) with least-privilege principle. Multi-factor authentication (MFA) for administrative access. Audit logging of all data access and modifications. Regular security audits and penetration testing.

We do not sell your data. We share data only with trusted service providers necessary to deliver our services. See our Subprocessors page (/subprocessors) for a complete list.

Categories of Third Parties: Infrastructure providers (Digital Ocean, Supabase, Cloudflare), AI services (Anthropic Claude API), Communication (SendGrid for transactional emails, Resend for notifications), Payment processing (Stripe for credit card processing), and Analytics (PostHog for product analytics, self-hosted).

Account data: Retained while your account is active. Security evaluation history: Retained for 2 years for compliance audits. Audit logs: Retained for 1 year. Backups: Retained for 30 days. After account closure: Data deleted or anonymized within 90 days, except as required by law.

BrainstormMSP uses AI agents powered by Anthropic's Claude to automate security evaluations and generate insights.

AI Data Processing: Control evaluation data is sent to Anthropic's API for analysis. Anthropic does not train models on your data (per their commercial terms). API calls are encrypted in transit (TLS 1.2+). No personally identifiable information (PII) is sent to AI services unless necessary for evaluation.

Model Training and Improvement: We may use aggregated, anonymized data to improve our AI agent prompts and evaluation logic. Individual customer data is never used for training without explicit consent.

Data Access: Export your data at any time via API or platform UI.

Data Correction: Update or correct your data through account settings.

Data Deletion: Request deletion of your account and data at any time.

BrainstormMSP is committed to maintaining compliance with relevant data protection regulations: GDPR compliance for European customers, CCPA compliance for California residents, SOC 2 Type II certification (in progress), and Data Processing Agreements (DPAs) available upon request.

Questions about our data practices?

Data Privacy Team: [email protected]

Security Team: [email protected]

General Inquiries: [email protected]