Security

Last updated March 17, 2026

Security is foundational to BeanStack. Your financial data demands enterprise-grade protection, and we build accordingly.

Infrastructure

BeanStack runs on enterprise-grade cloud infrastructure with high availability, geographic redundancy, and automatic failover. Infrastructure is continuously monitored for performance and security events.

Encryption

| Layer | Standard | |-------|----------| | Data in transit | TLS 1.3 | | Data at rest | AES-256 | | Encryption key management | Managed key service; customer-managed keys available on Enterprise |

Network Security

All infrastructure operates in private networks. Public access to data stores is not permitted. Firewall rules follow deny-by-default principles. Production access for BeanStack personnel requires VPN and multi-factor authentication.

Application Security

Authentication

  • Passwords stored using strong one-way hashing
  • Multi-factor authentication (MFA) required for all accounts
  • SSO via SAML 2.0 and OIDC available on higher-tier plans
  • Sessions expire after periods of inactivity; tokens are rotated on sensitive operations

Access Control

Role-based access control (RBAC) is enforced at the API layer across all operations. Each customer organization's data is logically isolated — no access path exists to data outside your organization, including at the AI processing layer.

Secure Development

BeanStack applies security controls throughout the software development lifecycle, including code review, automated vulnerability scanning, and periodic security assessments.

AI and Document Processing

Processing Isolation

Documents you upload are processed within isolated compute environments scoped to your organization. AI inference requests include only the minimum context required for the task.

No Training on Customer Data

AI model providers used by BeanStack are contractually prohibited from using your documents, queries, or extracted data to train or improve AI models. Customer Data enters processing pipelines that have no connection to model training infrastructure.

Subprocessors

AI model providers and all subprocessors must meet BeanStack's security requirements before being authorized for use in production. The current subprocessor list is maintained at beanstack.ai/subprocessors.

Compliance

BeanStack is designed to support compliance with GDPR, CCPA/CPRA, and applicable data protection laws. Our AI Features are general-purpose productivity tools and are not classified as high-risk AI systems under applicable AI regulations in their intended use cases.

Audit Logging

All significant actions within the Service are logged, including data access and modification events, authentication activity, and AI processing events. Logs are retained and available for export on applicable plans.

Operational Security

Personnel

BeanStack employees with access to production systems undergo background screening. Production access is limited to personnel with a legitimate operational need, is logged, and is subject to regular review. Access to Customer Data requires a support context or customer authorization.

Incident Response

BeanStack maintains an incident response program covering detection, investigation, containment, and notification. In the event of a confirmed security incident involving unauthorized access to your personal data, we will notify affected customers in accordance with applicable legal requirements.

Enterprise Security Options

Enterprise plan customers may have access to additional capabilities, including:

  • Customer-managed encryption keys (CMEK)
  • EU data residency
  • Audit log streaming to customer-managed SIEM systems
  • Custom data retention policies
  • Security questionnaire completion and documentation (under NDA)

Contact sales@beanstack.ai for Enterprise security requirements.

Vulnerability Disclosure

If you discover a potential security vulnerability in BeanStack:

  1. Email security@beanstack.ai with details
  2. Do not publicly disclose the issue before we have had an opportunity to investigate
  3. We will acknowledge receipt and work to address confirmed vulnerabilities

We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

Contact

Email: security@beanstack.ai

BeanStack AI, Inc.