Security and privacy

This page summarizes how Breyta handles customer content, secrets, access control, runtime safety, and third-party provider responsibility.

It complements the Privacy Policy, Terms of Service, Data Processing Agreement, and Subprocessors page for enterprise review.

Key points

• Breyta is GDPR compliant and SOC 2 Type II compliant.
• Breyta does not train its own models on Customer Content.
• Breyta production workloads run on Google Cloud Platform, primarily in EU regions.
• Breyta workflows can use customer-managed databases, storage, APIs, and model providers through bound connections.
• Secrets are stored securely and kept separate from flow definitions.
• Workspace access is role-based and scoped to the customer workspace.

Common questions

Do you use customer content to train your own AI models?

No. Breyta does not train its own models on Customer Content.

How does BYOK affect data processing responsibility?

When you configure third-party AI providers, provider-side processing is governed by your agreement with that provider.

Where is Breyta data hosted?

Breyta uses Google Cloud Platform for core infrastructure, with production workloads primarily hosted in EU regions.

Can we use our own database or infrastructure instead of Breyta-managed storage?

Yes. Breyta workflows can use customer-managed databases, storage, APIs, and model providers through bound connections instead of forcing all durable data into Breyta-managed storage.

How do retention and persistence work?

Workflow history retention is plan-based, up to 365 days on Enterprise. Workspace files and supported persisted resources can use retention and TTL controls within current platform limits, while post-termination deletion and limited post-termination account record retention are described in the Privacy Policy.

How are secrets handled?

Secrets are stored securely and referenced through managed connections and secret refs instead of being embedded in flow definitions.