🍳Brunoise AI
Trust & Safety

Security at Brunoise AI

Your health data is sensitive. We take security seriously at every level — from the code we write to the infrastructure we run.

How We Protect You

Security Practices

Encryption in Transit

Active

All data transmitted between your device and our servers is encrypted using TLS 1.3. We enforce HTTPS everywhere and use HSTS to prevent downgrade attacks.

Encryption at Rest

Active

Your personal data, including meal logs and health information, is encrypted at rest using AES-256. Encryption keys are managed using industry best practices.

Sign in with Apple

Active

We support Sign in with Apple, which uses Apple's privacy-preserving authentication system. We never receive or store your Apple ID password.

Minimal Data Access

Active

Only a small number of engineers have access to production systems, and only when necessary. All access is logged and audited.

Incident Response

Active

We maintain a documented incident response plan. In the event of a breach that affects your data, we will notify you within 72 hours as required by law.

Regular Security Reviews

Planned Q3 2026

Our code undergoes regular internal security reviews. We plan to commission third-party penetration testing as the product matures.

Bug Bounty

Responsible Disclosure

We welcome security research and responsible disclosure. If you've discovered a vulnerability, please reach out before publishing — we'll work quickly to address it and credit you publicly if you'd like.

In Scope

  • Authentication and authorization vulnerabilities
  • Injection attacks (SQL, XSS, etc.)
  • Insecure direct object references
  • Sensitive data exposure
  • Security misconfigurations
  • Broken access control

Out of Scope

  • Denial of service attacks
  • Social engineering of Brunoise AI staff
  • Physical attacks against our infrastructure
  • Issues in third-party services we use
  • Automated scanning results without a demonstrated proof of concept

Report a Vulnerability

Please encrypt your report using our PGP key (available on request) and send it to:

security@brunoiseai.com

We aim to acknowledge reports within 24 hours and provide a fix timeline within 7 days.