Security · EU data residency · GDPR

Built carefully. Explained honestly.

We're an early-stage company. We're not going to pretend to be Fort Knox. What we will do: tell you exactly how we handle your data today, what's live in the product, and what we're still working toward.

If you need a DPA, a security questionnaire, or a specific answer — email security@behar.ai.

Encryption at rest and in transit

Everything sensitive is AES-256-GCM at rest — including your stored API keys, prompt data, and run results. TLS 1.3 for anything moving between your browser and our servers. Database volumes are encrypted at the infrastructure level by the hosting provider.

API key handling

When you bring your own OpenAI, Anthropic, Perplexity, Google, or DeepSeek keys, they’re encrypted before storage, kept in a separate table from your workspace data, and never written to logs. You can rotate or revoke them anytime from Settings.

Input validation on sensitive endpoints

Authentication, billing, and data-mutation endpoints validate inputs through Zod schemas before executing. Malformed payloads fail fast at the gate. We’re expanding this coverage across more endpoints each release — it’s not everywhere yet, and we’d rather tell you than claim otherwise.

Data retention you control

Raw LLM responses kept per your plan’s retention window (30 to 730 days). Aggregated metrics kept for plan duration. Workspace deletion triggers soft-delete immediately, then hard-purge across all backups within 30 days.

Rate limiting

Per-user rate limits on all expensive actions — runs, content generation, analysis. Redis-backed rolling windows. Abuse patterns trigger automatic lockouts. API keys get their own per-key limit.

Audit log (enterprise)

Enterprise workspaces get a full customer-facing audit log: who did what, when, from where. Every settings change, data export, key rotation, and member action is recorded. Exportable as CSV.

Where we are, honestly

What's real today.

Live

GDPR-compliant

Data processing follows GDPR. Operator is a German-registered business. DPA available on request.

Live

EU data residency

Hosted in the European Union. No cross-border transfers for core platform data by default.

Live

EU-based operator

Behar AI is operated from Stuttgart, Germany. You're contracting with an EU business under EU law.

Live

Sub-processor transparency

Full list of sub-processors (Clerk, Vercel, Firecrawl, LLM providers) published in the Privacy Policy, with the legal basis for each transfer.

We don't list SOC 2, ISO 27001, or HIPAA on this page because we don't have them yet. When we do, we'll say so. Until then, we won't pretend.

What we don't do

The promises we won't make.

· We do not use your brand data, your prompts, your content, or your LLM keys to train any model — ours or anyone else's.

· We do not share workspace data across tenants. Every database query is scoped by workspace ID at the application layer.

· We do not sell, rent, or aggregate customer data for any secondary purpose. No data brokering, no lookalike marketing.

· We do not pretend to have certifications we don't. When SOC 2 is done, we'll say so. Until then, we don't claim it.

· We do not promise uptime SLAs we can't measurably hit. We'll add formal SLAs for enterprise customers when we have the infrastructure and operations to back them.

Have a specific security question? Need the DPA or a SIG-Lite questionnaire?

security@behar.ai Request a trial