ENCRYPTION

ENCRYPTION AT REST

All data stored on the Bright Run platform is encrypted at rest using AES-256 encryption. This includes uploaded documents, generated embeddings, training data, model artifacts, and metadata.

Encryption keys are managed through AWS Key Management Service (KMS), ensuring hardware-backed key storage with automatic rotation policies.

ENCRYPTION IN TRANSIT

All data transmitted between your browser, the Bright Run application layer, and backend services is encrypted using TLS 1.2+. This applies to document uploads, API calls, chat interactions, and all internal service-to-service communication.

KEY MANAGEMENT

Encryption keys are managed through AWS KMS with per-organization key isolation. Keys are automatically rotated on a regular schedule. Enterprise customers can bring their own KMS keys (BYOK) for additional control over their encryption lifecycle.