Security & Trust
Audit-ready research, built for institutional confidence.
Bricolage orchestrates autonomous research workflows on your behalf, with full transparency, verifiable provenance, and compliance-grade rigor. Every research path is documented, every source is traceable, and every run is sealed with a signed, independently verifiable audit receipt.
Institutional Trust
Three commitments to research integrity
Verifiable provenance
Every run is sealed with a cryptographically signed audit receipt: a Merkle root over the full activity log, signed with your organization's key. Change a single entry and the signature no longer verifies, so reviewers, regulators, and clients can confirm the record themselves.
- ✓Full source citation for every fact and quote
- ✓Cryptographically signed audit receipt on every run
- ✓Independently verifiable against a public key you pin once
- ✓Export the audit trail in compliance-ready formats (PDF, JSON)
Data residency & encryption
Your research data stays within your specified compliance region. All data in transit and at rest is encrypted using industry-standard protocols. No training on your proprietary research.
- ✓Data residency in Canada, US, or EU per your choice
- ✓AES-256 encryption at rest; TLS 1.3 in transit
- ✓Zero model training on your research data
- ✓Data deletion on request, certified in writing
Transparent access governance
Role-based access controls with audit logging. Every user action is recorded. Team leads approve research workflows before execution. Full visibility into who accessed what, when.
- ✓Role-based access (Viewer, Editor, Approver, Admin)
- ✓Mandatory approval gates for sensitive research workflows
- ✓Complete audit log of user actions and workflow approvals
- ✓SAML/SSO integration for enterprise identity management
Compliance & Standards
Built for institutional oversight
SOC 2 Type II Certification (In Progress)
We are pursuing SOC 2 Type II certification to demonstrate controls over security, availability, and confidentiality. Expected completion: Q3 2026. Detailed findings will be available to Enterprise customers under NDA.
Privacy & Data Protection
Our data handling is designed to align with PIPEDA (Canada), GDPR (EU), and CCPA (US) privacy regulations. Research data is separate from operational metrics. No third-party data sharing without explicit consent.
Research Integrity Standards
Bricolage artifacts are built with peer-review readiness in mind. Source transparency, methodology documentation, and confidence scoring meet the expectations of academic journals and institutional research review boards.
Regulatory Auditing
Government agencies and institutional compliance teams can request detailed audit reports. We provide time-stamped access logs, encryption certifications, and complete workflow provenance to support your compliance obligations.
Transparent Operations
Questions we hear (and how we answer)
Does Bricolage train models on my research data?
No. Your research data is never used to improve our models or serve as training material. We use industry-standard LLMs (Claude, GPT) that are not fine-tuned on customer data. You own all results generated by your workflows.
Can regulators access audit trails for my research?
Yes. Enterprise and Government customers can export complete audit trails in compliance-ready formats. Audit logs include timestamps, user identities, workflow approvals, and full research provenance. Regulatory requests are handled through your account team.
What happens if I need to delete research data?
You can request deletion of research data at any time. We will delete all copies from our systems and provide a signed certificate of deletion. Audit logs of the deletion request are retained for compliance purposes.
Is Bricolage compliant for government/classified research?
We support government agencies with data residency in secure regions and signed data-handling agreements. For classified research, we recommend discussion with your compliance team. Enterprise customers can request a security questionnaire review.
How do you handle API and third-party integrations securely?
API keys and credentials are encrypted at rest and never logged. Third-party integrations (databases, APIs, services) are accessed only when your workflow explicitly requires them, with full audit logging of what data was accessed and when.
Ready to discuss your compliance requirements?
Our security and compliance team is available to review your specific needs and provide detailed attestations, audit logs, and technical documentation.
