Security

Your listings and customer data are protected at every layer.

Babrik is built for teams who cannot compromise on how their media and customer information is stored, transmitted, and processed. This page describes the controls that sit behind every order we deliver.

Our commitment

Security is not a feature we layer on top of the product — it is the foundation everything else is built on. Every engineer at Babrik is responsible for the security of the systems they work on, and every architectural decision is reviewed against our threat model before it ships.

We publish this page so prospective and existing customers can evaluate Babrik against the same controls they expect from any enterprise vendor. If you need deeper detail — penetration test reports, sub-processor lists, or our security questionnaire — reach out to security@babrik.com.

How we protect your data

Encryption everywhere

All traffic is served over TLS 1.2+. Customer data and listing media are encrypted at rest using AES-256. Encryption keys are managed by our cloud provider's HSM-backed key service.

Identity and access

Single sign-on (SSO) is available on Business plans. Internal access follows least-privilege. Every administrative action is recorded in an immutable audit log.

Hardened infrastructure

Babrik runs on AWS in multiple regions with isolated VPCs, network ACLs, and continuous vulnerability scanning. Production access is gated by MFA and short-lived credentials.

Privacy by design

Object blur, face redaction, and licence-plate removal are first-class features — not opt-ins. Customer media is segregated per tenant and never used to train shared models.

Continuous monitoring

24×7 alerting on authentication anomalies, infrastructure changes, and dependency vulnerabilities. Critical patches are deployed within 24 hours of disclosure.

Incident response

We run a written incident response plan with defined severity levels. Affected customers are notified within 72 hours of any confirmed breach involving their data.

Compliance and audits

Independent verification matters. Babrik maintains active certifications and ongoing audits against the frameworks our customers ask about most.

SOC 2 Type II

Annual independent audit covering security, availability, and confidentiality controls. Reports available under NDA on request.

GDPR & UK GDPR

Standard Contractual Clauses, EU-hosted regions, and a written Data Processing Agreement available to every customer.

CCPA

Babrik responds to verified consumer requests for access, correction, and deletion under the California Consumer Privacy Act.

ISO 27001 (in progress)

We are working toward certification of our information security management system. Target audit window: 2026.

Responsible disclosure

Found a vulnerability? Please report it to security@babrik.com before disclosing it publicly. We acknowledge reports within 48 hours, keep you informed throughout triage, and credit researchers who help us improve the platform.

Please do not run automated scans against production, attempt to access data that does not belong to you, or degrade service for other customers during your testing. Good-faith research conducted under those boundaries is welcome.

Need our security questionnaire?

We respond to vendor security reviews within two business days, including SIG, CAIQ, and custom questionnaires from procurement teams.

Contact our security team