Security & Compliance

​

Our Security Commitment

At Brew, we understand that email marketing involves handling sensitive customer data. We’re committed to implementing robust security practices to protect your data and maintain your trust.

​

Responsible Disclosure

If you believe you’ve found a security issue, please notify security@brew.new.

​

Security Overview

​

Security Framework

Our security program is built on these core principles:

​

Least Privilege

Access is limited to only those with legitimate business needs, based on the principle of least privilege. We implement strict role-based access controls and regular access reviews.

​

Consistency

Security controls are applied consistently across all areas of our infrastructure and operations to ensure comprehensive protection.

​

Defense in Depth

We implement security controls in layers according to the principle of defense-in-depth, ensuring that if one control fails, others remain in place to protect your data.

​

Continuous Improvement

Our implementation of controls is iterative, continuously improving effectiveness and reducing friction as we grow and as the threat landscape evolves.

​

Data Protection

​

Data at Rest

All datastores are encrypted at rest using industry-standard AES-256 encryption. Sensitive collections and tables also use row-level encryption for additional protection.

​

Data in Transit

Brew uses TLS 1.3 or higher everywhere data is transmitted over potentially insecure networks, ensuring that all communications between our services and to end users are encrypted.

​

Data Backup

Brew backs up all production data using a point-in-time approach. Backups are persisted for 30 days and are globally replicated for resiliency against regional disasters.

​

Data Residency

Brew primarily processes and stores data in the United States. For customers with specific data residency requirements, please reach out and we’ll be happy to help.

​

Technical Security

​

Infrastructure Security

Brew’s infrastructure is hosted on AWS with multiple security layers:

• Network Security: VPC isolation, security groups, and network ACLs
• DDoS Protection: Cloudflare and AWS Shield for DDoS mitigation
• WAF: Web Application Firewall for common attack protection
• Intrusion Detection: Real-time monitoring for suspicious activities

​

Authentication and Authorization

• Multi-factor Authentication: Planned feature, will be available for all accounts in the future
• Password Policies: Strong password requirements enforced
• Session Management: Secure session handling with automatic termination
• Role-Based Access Control: Fine-grained permissions system

​

Development Security

• Secure Development Lifecycle: Security integrated throughout our development process
• Code Review: Security-focused code reviews for all changes
• Dependency Scanning: Automated scanning for vulnerable dependencies
• CI/CD Security: Security controls in our continuous integration and deployment pipeline

​

Service Providers

Brew uses carefully selected third-party services to provide our email marketing platform. For our current list of subprocessors and service providers (including AI/model providers), see: /legal/subprocessors. We regularly review providers to ensure they meet our security and performance standards and update that page when providers change.

​

Acceptable Use Policy

Summary only — the binding Acceptable Use Policy is in our Terms of Service Section 17. See: /legal/terms#17-acceptable-use-policy-aup. Our vision is to help businesses drive more revenue through effective, AI-powered email marketing. We’re committed to maintaining a platform that benefits both senders and recipients.

​

Prohibited Uses

You may not use Brew for the following:

• Non-Consensual Communications: Sending emails to recipients who haven’t explicitly opted in
• Deceptive Practices: Using misleading subject lines or sender information
• Misrepresentation: Impersonating another individual or organization
• Illegal Content: Distributing content that violates applicable laws
• Harmful Content: Sending malware, phishing attempts, or other harmful content

​

Email Marketing Requirements

When using Brew, you must:

• Maintain Proper Consent: Have documented consent from all recipients
• Honor Unsubscribe Requests: Process unsubscribe requests promptly
• Include Valid Contact Information: Provide accurate sender information
• Comply with Applicable Laws: Follow relevant regulations including data privacy, email marketing, and accessibility requirements

If you have questions about this policy or would like to report a violation, please reach out and we’ll be happy to help.

​

Policies & Legal

See our Privacy Policy, Terms of Service, DPA, and Subprocessors & Service Providers. These legal pages are the source of truth; this Security page summarizes them for ease of reading.

​

Enterprise Security Requirements

We understand that enterprise customers often have specific security requirements. While we are actively working toward formal certifications, we are committed to meeting your security needs:

• Custom Security Reviews: We welcome detailed security questionnaires and assessments
• Flexible Security Options: Tailored security configurations to meet your organization’s specific compliance and data protection requirements
• Direct Support: Direct access to our security team for your InfoSec professionals
• Transparent Roadmap: Clear timelines for our security certification progress

​

Need Help?

Our team is ready to support you at every step of your journey with Brew. Choose the option that works best for you: