Trust Center

Where we are. Where the data sits. Who has access.

Northbeams is built privacy-first. The classifier runs inside the browser. The original prompt text never leaves the device. SOC 2 Type II readiness is underway with no third-party attestation yet in force. Below is exactly where everything stands today.

01 / Status

Compliance posture, today.

GDPR

Live Privacy by design

Designed in alignment with GDPR Art. 25 (privacy by design) principles. EU data residency available on Fleet. Standard DPA on request. The architecture means there is almost no personal data to process: original prompt content stays on the user's device.

EU AI Act · Evidence Pack

Live Article-aligned evidence pack

Northbeams ships an evidence pack structured around Articles 9, 10, 12, and 13. Available on Sentinel and Fleet. Mapping has not been third-party assessed. The same evidence layer underpins AI TRiSM (AI Trust, Risk and Security Management) reporting.

SOC 2 Type II

Readiness Readiness underway. Trust report and policy pack under NDA today.

Scope: Security, Availability, and Confidentiality. Observation window opens Q3 2026 and runs 12 months; the Type II report is targeted Q4 2027. No third-party attestation is yet in force. Trust report and policy pack available to qualified prospects under NDA today.

HIPAA

Roadmap Healthcare tier in design

Architecture supports HIPAA technical safeguards under 164.312. A HIPAA-eligible plan with Business Associate Agreement is on the roadmap, not yet available. Healthcare prospects, contact security@northbeams.com.

ISO 27001

Planned 2028

Scoped after SOC 2 Type II completes. Control objectives are informed by ISO 27001 today. Customers requiring ISO before our certification can request the SOC 2 evidence pack.

02 / Architecture

Privacy by architecture, not policy.

Classifier runs in-browser

The Northbeams browser extension classifies every prompt locally. The prompt text itself never leaves the user's device. Only category labels, redacted snippets, and policy events are sent to the dashboard.

MCP arguments stay on-device

The MCP Gateway is a local stdio proxy. It classifies every MCP tool argument on the user's laptop and sends only categorical labels (credentials, PII, source code, legal terms, customer data) and a sha256 hash to the dashboard. The argument values themselves never leave the device.

No proxy. No MITM.

Northbeams does not intercept network traffic. There is no proxy, no TLS-stripping certificate, and no on-prem appliance. There is nothing in the network path that could be a single point of failure or a privileged target.

Heavy AI-detection agents sit in your network path: a proxy, a TLS-stripping cert, an appliance to babysit. Northbeams classifies on-device and changes nothing about your network.

Encrypted at rest and in transit

All metadata in the dashboard is encrypted in transit (TLS 1.3) and at rest. Customer data is logically isolated per tenant. Audit logs are immutable on Sentinel and Fleet.

Sub-processors

The current list of every third-party service that processes customer data lives at /sub-processors, with purpose, region, and certifications per vendor. We notify subscribed customers at least 30 days before changes.

Data residency

US-region by default. EU-region available on Fleet. We do not move customer data between regions.

Retention

Default audit-log retention varies by tier (90 days on Lighthouse, 1 year on Sentinel, 7 years on Fleet). Customers can configure shorter retention to meet local data minimisation requirements.

What happens to your data if Northbeams shuts down?

Your data is yours. If we ever wind down the service, we will send every workspace owner a 90-day advance notice with a full JSON export of their audit logs, tool inventory, policies, and user records. Exports are also available on demand at any time from the Settings page. We will not delete your data until you have confirmed receipt of the export or the 90-day window expires, whichever comes later.

Cancellation and deletion

Cancel from the in-app billing portal at any time. You keep paid features through the end of your billing period. After full cancellation, we soft-delete the workspace immediately with a 30-day undo window, then hard-delete every record across Firestore + Storage. An immutable deletion log is retained for the legal-floor period.

Auditor-ready Evidence Packs

Workspaces can generate signed PDF Evidence Packs covering EU AI Act, ISO/IEC 42001:2023, NIST AI RMF, and SOC 2 readiness controls. Every pack carries an HMAC-SHA256 signature backed by a per-org key; auditors verify externally at /trust/verify. The underlying audit log is append-only and hash-chained, and a daily verifier walks the chain end-to-end.

DPA, BAA, and SCCs

Standard DPA covers GDPR Article 28, the UK GDPR, the 2021 EU SCCs (Module 2), and the UK IDTA. Counter-signed within one business day. HIPAA BAA available on the Fleet tier. See /dpa.

Vulnerability disclosure

We maintain a coordinated disclosure policy with a safe-harbor commitment for good-faith security research. If you find a vulnerability, email us before publishing. We acknowledge within one business day and aim to patch within 30 days for critical findings.

security@northbeams.com →

security.txt →

Full disclosure policy and safe harbor →

Vendor questionnaires, sub-processor requests, and DPA/BAA copies also go to security@northbeams.com. We reply within one business day.