Security
Your listings and customer data are protected at every layer.
Babrik is built for teams who cannot compromise on how their media and customer information is stored, transmitted, and processed. This page describes the controls that sit behind every order we deliver.
Our commitment
Security is not a feature we layer on top of the product — it is the foundation everything else is built on. Every engineer at Babrik is responsible for the security of the systems they work on, and every architectural decision is reviewed against our threat model before it ships.
We publish this page so prospective and existing customers can evaluate Babrik against the same controls they expect from any enterprise vendor. If you need deeper detail — penetration test reports, sub-processor lists, or our security questionnaire — reach out to security@babrik.com.
How we protect your data
Encryption everywhere
All traffic is served over TLS 1.2+. Customer data and listing media are encrypted at rest using AES-256. Encryption keys are managed by our cloud provider's HSM-backed key service.
Identity and access
Single sign-on (SSO) is available on Business plans. Internal access follows least-privilege. Every administrative action is recorded in an immutable audit log.
Hardened infrastructure
Babrik runs on AWS in multiple regions with isolated VPCs, network ACLs, and continuous vulnerability scanning. Production access is gated by MFA and short-lived credentials.
Privacy by design
Object blur, face redaction, and licence-plate removal are first-class features — not opt-ins. Customer media is segregated per tenant and never used to train shared models.
Continuous monitoring
24×7 alerting on authentication anomalies, infrastructure changes, and dependency vulnerabilities. Critical patches are deployed within 24 hours of disclosure.
Incident response
We run a written incident response plan with defined severity levels. Affected customers are notified within 72 hours of any confirmed breach involving their data.
Compliance and audits
Independent verification matters. Babrik maintains active certifications and ongoing audits against the frameworks our customers ask about most.
SOC 2 Type II
Annual independent audit covering security, availability, and confidentiality controls. Reports available under NDA on request.
GDPR & UK GDPR
Standard Contractual Clauses, EU-hosted regions, and a written Data Processing Agreement available to every customer.
CCPA
Babrik responds to verified consumer requests for access, correction, and deletion under the California Consumer Privacy Act.
ISO 27001 (in progress)
We are working toward certification of our information security management system. Target audit window: 2026.
Responsible disclosure
Found a vulnerability? Please report it to security@babrik.com before disclosing it publicly. We acknowledge reports within 48 hours, keep you informed throughout triage, and credit researchers who help us improve the platform.
Please do not run automated scans against production, attempt to access data that does not belong to you, or degrade service for other customers during your testing. Good-faith research conducted under those boundaries is welcome.
Need our security questionnaire?
We respond to vendor security reviews within two business days, including SIG, CAIQ, and custom questionnaires from procurement teams.
Contact our security team