Security & Trust

Enterprise-grade security,
built into every answer.

Bear Creek AI recognizes that the confidentiality, integrity, and availability of your information are vital to your business. knowledgeXpert™ is SOC 2 Type I, ISO 27001:2022, and GDPR certified — backed by 62 documented controls, single-tenant deployment, end-to-end encryption, and a guarantee your data is never used to train public AI models.

Visit Trust CenterSecurity FAQ
Certifications & Frameworks

Independently audited. Continuously monitored.

Bear Creek AI's security program is built on industry-recognized frameworks and independently verified by third-party auditors.

SOC 2 Type I

Certified

ISO 27001:2022

Certified

ISO 27001

Certified

GDPR

Certified

Knowledge publishers, partners & customers who trust Bear Creek AI

Engineering for Change Engineering for Change
Imantt Imantt
Vista Engineering Vista Engineering
Custom Plastic Solutions Custom Plastic Solutions
Clarion Technical Publications Clarion Technical
62 controls. 6 categories.

Defense in depth, audited end to end.

Our security program is structured around 62 documented controls spanning every layer of how we build, run, and govern knowledgeXpert™ — continuously monitored through Sprinto, not just checked at audit time.

Product Security · 3

How we keep the platform itself safe to use.

  • Annual production system user review
  • Documented vulnerability remediation process
  • Centralized management of flaw remediation

Data Security · 13

How we protect, isolate, and govern your information.

  • AES-256 encryption at rest
  • Multi-factor authentication on critical systems
  • Production database access restriction
  • User privilege & access reviews
  • Data backups with recovery testing
  • Inventory of personal data (PII)

Network Security · 7

How traffic and connections are guarded at every hop.

  • Default-deny firewall on production hosts
  • HTTPS / TLS 1.2+for all transmissions
  • Limit network connections to vetted infrastructure
  • Centralized collection of security event logs

App Security · 2

How customers stay informed and how anomalies are surfaced.

  • Conspicuous link to privacy notice
  • Continuous monitoring for unauthorized activity

Endpoint Security · 3

How the devices accessing your data are kept clean and current.

  • Anti-malware on all employee endpoints
  • Endpoint security validation on remote devices
  • Automatic session lock after 15 minutes inactivity

Corporate Security · 34

How our people, policies, and vendors are governed.

  • Code of business conduct & policy acknowledgement
  • New-hire and periodic security & privacy training
  • Risk assessments & third-party criticality reviews
  • CISO & CPO with assigned responsibilities
  • Internal audit using Sprinto
  • EU Representative & documented DPIAs
Our data principles

Three promises about your data.

Plain-language commitments. No legalese, no fine print, no hidden clauses.

Your documents are your competitive advantage. We're a tool you use — not a destination for your knowledge to leak out of.

Promise 01

Your data stays yours.

Your documents are never used to train public AI models, never shared with other customers, and never leave your isolated tenant. Full stop.

Promise 02

You control access.

Role-based permissions let you decide who sees what — down to specific knowledgeBases. Add, remove, or revoke users in seconds. Every action is logged.

Promise 03

You can leave with everything.

You can export your documents and data at any time. If you cancel, we delete your tenant within the timelines defined in your contract. No lock-in.

Technical snapshot

For your security team.

The specifics your IT, InfoSec, and procurement teams will ask about — in one place.

Encryption in Transit

TLS 1.2+

All API and browser traffic encrypted end-to-end.

Encryption at Rest

AES-256

Customer data and backups encrypted with managed keys.

Tenancy Model

Single-tenant logical isolation

Each customer's data is isolated — never co-mingled.

Uptime & Availability

99.9% target SLA

Active monitoring, automated failover, and documented RTO/RPO.

Identity & Access

SSO, RBAC, MFA

SAML/OIDC SSO available for enterprise plans. MFA enforced on critical internal systems. Quarterly access reviews.

Session Security

15-minute session lock

Endpoints accessing critical systems auto-lock after inactivity.

Hosting

US-based cloud infrastructure

Hosted on enterprise cloud infrastructure (Microsoft Azure and Koyeb) within US data centers.

Logging & Monitoring

Centralized event logs

Security events from all critical systems aggregated for review and alerting.

Continuous Compliance

Sprinto-monitored

62 controls continuously monitored. Internal audits performed via Sprinto.

Backups & Recovery

Automated, tested

Backups taken at relevant cadence and integrity-verified through periodic recovery testing.

Privacy Governance

CPO & EU Representative

Chief Privacy Officer assigned. EU Representative appointed for GDPR matters. Periodic DPIAs conducted.

From upload to deletion

How your data flows through knowledgeXpert™ .

A transparent walk-through of what happens to your documents at each stage.

1

Upload — encrypted on the way in

Documents are uploaded over TLS 1.2+directly to your isolated tenant. Files are scanned, indexed, and encrypted at rest with AES-256. Original documents stay intact — we never modify your source content.

2

Process — isolated to your tenant

Embeddings, indexing, and retrieval all happen inside your tenant boundary. Your content is never co-mingled with other customers and never used to train public foundation models. Internal access is logged, role-based, and reviewed quarterly.

3

Answer — cited and auditable

Every answer cites the exact document and page it came from. Queries, responses, and citations are logged in an immutable audit trail your admins can review at any time.

4

Delete — gone when you say so

You can delete documents, knowledgeBases, or your entire tenant at any time. Deletions cascade through indexes and backups within the timelines defined in your contract. We do not retain your data after termination.

Trust Center

Need our compliance documents?

Our Trust Center publishes 42 security policies and procedures, 62 documented controls, and our full subprocessor list. Public documents are available immediately; sensitive items (SOC 2 reports, ISMS Manual, etc.) can be requested with one click.

Visit Trust CenterRequest Documents
    Available in our Trust Center
  • Information Security Policy & ISMS Manual
  • Data Protection & Retention Policies
  • Incident & Data Breach Notification Policies
  • Business Continuity & Disaster Recovery Policy
  • Vendor Management & Access Control Policies
  • SDLC Procedure & Privacy By Design Policy
  • Records of Processing Activities (ROPA)
Vendors that touch your data

Our subprocessors, in plain sight.

knowledgeXpert™ uses a small set of independently audited subprocessors to deliver the platform. Every vendor is vetted, contracted, and listed publicly — no surprises.

Microsoft Azure

IT infrastructure

Koyeb

IT infrastructure

MongoDB Atlas

Datastore provider

Pinecone

Vector database / IT infrastructure

OpenAI

Foundation models (no training on customer data)

Slack

Internal collaboration & productivity

Google Workspace

Identity & access management

Atlassian (Jira)

Internal development documentation

GitHub

Internal development software

Stripe

Payments & finance

Squarespace

Marketing site hosting

View full subprocessor list
Security FAQ

What customers and their security teams ask us.

Don't see your question? Reach our security team directly.

Is Bear Creek AI SOC 2 and ISO 27001 certified?+
Yes. Bear Creek AI is SOC 2 Type I, ISO 27001:2022, ISO 27001 (legacy), and GDPR certified. Reports and certificates are available through our Trust Center. We use Sprinto to monitor 62 documented controls continuously, not just at audit time, and our internal audits are run through Sprinto on an ongoing basis.
Will my documents be used to train AI models?+
No. Your documents are never used to train public AI models, never shared with other customers, and never leave your isolated tenant. We use foundation models from third-party providers under enterprise contracts that contractually prohibit training on customer data.
How is my data isolated from other customers?+
Each customer gets a single-tenant logical isolation: separate data stores, separate vector indexes, and access controls scoped to your organization. There is no path by which one customer can query, search, or even see the existence of another customer's content.
How is data encrypted?+
All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Encryption keys are managed by our cloud provider's KMS with strict access controls and rotation policies.
Where is data hosted?+
knowledgeXpert™ is hosted on enterprise cloud infrastructure within US data centers. Microsoft Azure and Koyeb provide the underlying IT infrastructure, MongoDB Atlas serves as our datastore, and Pinecone provides vector search. All hosting providers are SOC 2 / ISO 27001 certified. The full subprocessor list is published in our Trust Center.
Do you support SSO and role-based access?+
Yes. Enterprise plans support SAML/OIDC single sign-on. Role-based access control (RBAC) is available on every plan, letting your admins scope permissions down to individual knowledgeBases. All admin and user actions are recorded in an immutable audit log.
Do you conduct penetration testing?+
Yes. We engage independent third-party penetration testing, with targeted testing after significant architectural changes. Findings are tracked to closure with documented remediation timelines. Summary reports are available through our Trust Center.
What happens if there's a security incident?+
We maintain a documented incident response plan with defined severity levels, response timelines, and customer notification procedures. In the event of a confirmed breach affecting your data, we notify impacted customers within the timelines specified in your contract and applicable regulations (GDPR, state breach laws, etc.).
Can I delete my data on demand?+
Yes. You can delete individual documents, full knowledgeBases, or your entire tenant at any time. Deletions cascade through indexes and backups within the timelines defined in your contract. We do not retain customer data after termination beyond what's required by law.
How do you handle GDPR and privacy requests?+
We comply with GDPR and maintain documented Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIAs), and a Privacy By Design Policy. We have an assigned Chief Privacy Officer and an EU Representative as required. We provide a Data Processing Addendum (DPA) on request and support data subject access, portability, and deletion requests through your administrator. For specific privacy questions, contact us through our support form.
Who are your subprocessors?+
We use 11 subprocessors covering infrastructure (Microsoft Azure, Koyeb), data (MongoDB Atlas, Pinecone), AI (OpenAI — under contract that prohibits training on our data), identity (Google Workspace), and supporting business systems (Atlassian, GitHub, Slack, Stripe, Squarespace). The full list with categories is published in our Trust Centerand updated when changes occur. Every subprocessor passes a third-party criticality assessment.
How do I get a SOC 2 report or ISO certificate?+
Visit our Trust Center. Public documents (overview, certificates, summary reports) are available immediately. Full SOC 2 reports and other sensitive documents are available under NDA — you can request access directly from the Trust Center.

Built to pass procurement. Built to earn trust.

Whether you're a security team running a vendor review, or a leader who just wants the short answer — we' re ready to talk.

Book a Security ReviewVisit Trust Center
SOC 2 Type I · ISO 27001:2022 · GDPR Single-tenant deployment Your data, never used to train models