Brandzy v0.9.1 is live.Request access here →
Brandzy Back
Last updated May 31, 2026

Security.

Your Brandzy account holds the business context behind your lead discovery: connected account data, offer notes, Signal Scores, Coach verdicts, draft replies, and Pipeline status. Below is how we protect it, what we minimize, and how to report issues.

Account isolation

Every customer gets an authenticated user account and workspace. App routes verify the session cookie, confirm workspace ownership, and apply per-user rate limits before sensitive actions run. Firestore and Storage rules are owner-scoped so one customer cannot read or write another customer's workspace data.

Authentication

  • Sign-in uses Firebase Auth with email/password or Google sign-in.
  • New accounts may be approved in waves during the public beta.
  • App sessions use secure, HTTP-only cookies with a five-day lifetime.
  • Password reset is handled through Firebase Auth.

Encryption

  • In transit. Every connection between your browser and our servers uses TLS 1.2 or higher with modern cipher suites.
  • At rest. Your account data is encrypted on disk at our hosting provider (AES-256).
  • Server-side tokens. X OAuth tokens are stored server-side and are cleared when you disconnect X. They are not stored in browser local storage.

X access (OAuth)

You connect your X account via OAuth 2.0 with PKCE — we never see your X password. Brandzy requests scopes needed to read permitted X data, refresh the connection, draft/review actions, and support explicit user-approved publishing. DM read access is optional and is requested only when you enable DM qualification.

Brandzy uses the official X API. It is built around human review, platform rate limits, and no bulk auto-DM workflow.

DM data minimization

When DM qualification is enabled, Brandzy reads recent DM events to classify buyer seriousness. It stores verdicts, summaries, evidence, participant metadata, timestamps, and next actions. It does not store raw DM text as durable account content.

Access controls inside Brandzy

Internal Brandzy access to customer data is limited to what is needed for support, security, billing, abuse prevention, or production incidents. The operating standard is:

  • Minimum necessary. We avoid opening customer content unless it is needed to resolve a specific issue.
  • Scoped. Production credentials are kept out of source control and environment-specific secrets are loaded server-side.
  • Careful by default. We do not use customer content for demos, marketing, or public examples unless it is anonymized, fictionalized, or explicitly approved.

Monitoring and incident response

We monitor for errors, rate-limit abuse, failed-authentication patterns, and anomalous API usage. If we detect an incident that affects your data, we'll notify affected customers as required and share what we know, what we're doing, and what you need to do.

Backups and continuity

Brandzy runs on managed Firebase and Google Cloud infrastructure. We rely on provider-level durability, restricted destructive actions, and account-level deletion flows to reduce the risk of accidental data loss while the product is in public beta.

AI and your content

Brandzy currently uses xAI/Grok for signal classification, Coach output, and draft generation. AI inputs can include your business context, lead context, public X data, and recent DM text when you enable DM qualification. We do not train Brandzy-owned models on your content, and we do not authorize model training on your Brandzy content.

What we don't do

  • We don't sell your data.
  • We don't share accounts between customers.
  • We don't use your content to train public AI models.
  • We don't store your X password — OAuth only.
  • We don't store raw DM text as durable Brandzy account content.
  • We don't send bulk auto-DMs.

Compliance

Brandzy is an early-stage product; we don't yet hold formal security certifications and will pursue them as customer demand warrants. Where applicable, we honor the rights described in our Privacy policy.

Reporting a vulnerability

Found a security issue? Please email hello@brandzy.io with a clear description, steps to reproduce, and any impact assessment you can share. We address verified issues as fast as their severity requires, and credit responsible disclosures when you'd like that.

Updates to this page

We update this page as our security program evolves. The "last updated" date at the top reflects the most recent change.