Security

Security

BRICQS is built on enterprise-grade security infrastructure. This page covers the platform-level controls and the per-project settings you can configure.

Authentication

All API requests are authenticated using Bearer tokens (API keys or short-lived JWTs). The platform uses its own auth backend — no third-party identity provider is embedded in the data path.

API keysLong-lived tokens for server-side callers. Scoped to a project and a permission set. Revocable instantly.JWT sessionsShort-lived (1-hour) access tokens issued at login. Refreshed automatically by the console.Platform adminTwo-factor authentication required. Admin role is separate from project-level roles.

Data encryption

  • In transit — TLS 1.2+ enforced on all endpoints. HTTP is redirected to HTTPS.
  • At rest — Database data encrypted with AES-256. Secret values encrypted at the application layer before storage.
  • Model weights — Container images stored in the BRICQS private container registry with no public pull access.

Network isolation

BRICQS deployments run with the following network controls:

  • All inbound traffic routes through the BRICQS edge router — direct deployment FQDN access is not advertised.
  • Container-to-container traffic within a project uses BRICQS private networking and does not traverse the public internet.
  • Egress from containers is unrestricted by default; restrict with outbound traffic rules in the Security settings panel.

Security flags

The Security panel in the console surfaces platform-level security signals for your account:

Exposed API keyAn API key was used from an unusual IP or User-Agent pattern suggesting it may have leaked.High error rateA deployment is returning ≥10% 5xx responses; may indicate a compromised or broken container.Unusual accessAdmin API calls from a new device or location within the last 24 hours.Stale keysAPI keys older than 90 days with active usage — consider rotation.

Governance & audit

Every privileged action — deployments created or stopped, secrets changed, API keys issued or revoked, user roles modified — is written to an append-only audit log. See the Governance docs for querying and exporting the audit log.

Responsible AI content controls

BRICQS deployments run open-weight models on dedicated infrastructure — the platform does not intercept model inputs or outputs. Content filtering, topic restriction, and safety classifiers must be implemented at the application layer (in the calling code or as a custom inference wrapper). The Governance panel supports per-project policy rules that can flag or block audit-logged events by pattern; this is not a real-time inference filter but an audit and alerting mechanism.

Note: If you require real-time content filtering at inference time, deploy a safety classifier as a BRICQS deployment in front of your primary model deployment and route through the edge.

Vulnerability disclosure

To report a security vulnerability, email security@bricqsai.com. We respond within 48 hours and follow coordinated disclosure. Do not file public issues for security reports.