Security

Security at Northbeams

Deep inspection that leaves the raw data on the device. Encryption, enterprise identity, and signed logs on top. Here is exactly how it works.

The controls

What protects your data.

On-device inspection
Classification runs on the endpoint. Only labels, counts, severity, and a hashed snippet leave the device. Raw prompts, MCP argument values, and keystrokes never do. No proxy, no MITM certificate, no network change.
Encrypted in transit and at rest
Traffic to monitor.northbeams.com runs over TLS. Customer data is encrypted at rest on Google Cloud.
SSO and SCIM
SAML single sign-on and SCIM provisioning with Okta, Microsoft Entra, Google Workspace, and WorkOS on Enterprise. Joiners and leavers follow your directory.
MDM deployment
Push the extension and the Mac and Windows apps through Microsoft Intune, Jamf, or Kandji. No user setup, no local admin, no certificate to install.
Immutable signed logs
Every AI event lands on an append-only, cryptographically signed log with per-user attribution. The audit trail cannot be edited after the fact.
SIEM streaming
Stream every event into your own SOC. Splunk HEC and Microsoft Sentinel are supported today. Datadog is available on request.
Infrastructure and assurance

Built on Google Cloud, tested by outsiders.

The product runs on managed cloud infrastructure, and its security is checked by people who do not work here.

INFRASTRUCTURE
Runs on Google Cloud, with customer data in Firestore and Cloud Storage. Managed backups, regional isolation, and least-privilege service accounts.
ASSURANCE
An external penetration test has been performed and the findings remediated. SOC 2 Type II observation window is live, run with Scytale.
Where our SOC 2 stands, stated plainly. Northbeams is in the observation window for SOC 2 Type II, run with Scytale. A Type II report covers a period of operation and is in progress. It is not yet issued. We are a Drata Alliance member, and we are targeting ISO 27001 next (2027 to 2028). If you need our current posture for a vendor review, ask and we will share what exists today. [TODO: confirm with Joe: observation window dates and the expected report date.]

Data minimization by design

Northbeams inspects AI activity where it happens, on the device. The browser extension and desktop apps classify prompts and MCP arguments locally. Only category labels, counts, severity, a redacted and hashed snippet, and per-user attribution leave the endpoint. Raw prompt text, MCP argument values, keystrokes, and non-AI browsing never leave it. Because there is no proxy and no man in the middle certificate, we do not decrypt your traffic in the network path, and there is no network change to make.

Encryption

Data in transit to monitor.northbeams.com is protected with TLS. Customer data at rest is encrypted on Google Cloud. [TODO: confirm with Joe: TLS version floor and key management details for the security whitepaper.]

Identity and access

Enterprise customers use SAML single sign-on and SCIM provisioning with Okta, Microsoft Entra, Google Workspace, and WorkOS, so joiners and leavers follow your directory. Inside Northbeams, role-based access controls separate what admins, analysts, and viewers can see and do. Internally, we follow least-privilege access to production systems.

Deployment and the endpoint

Deploy the browser extension and the Mac and Windows apps through the MDM you already run: Microsoft Intune, Jamf, or Kandji. There is no proxy to stand up and no certificate to push. Enforcement actions (block, sandbox, allow, and pause a user's AI access) are reversible from the console with one click.

Logging, monitoring, and streaming

Every AI event lands on an append-only, cryptographically signed log with per-user attribution, so the audit trail cannot be quietly edited after the fact. You can stream those events into your own SOC. Splunk HEC and Microsoft Sentinel are supported today, and Datadog is available on request.

Infrastructure and hosting

The Service runs on Google Cloud, with customer data in Firestore and Cloud Storage. We use managed backups and isolated service accounts. Enterprise customers can request US or EU data residency. See our Sub-processors page for the vendors involved and where they operate.

Testing and assurance

An external penetration test has been performed against the Service, and the findings were remediated. Northbeams is in the observation window for SOC 2 Type II, run with Scytale, and is a Drata Alliance member. We are targeting ISO 27001 next (2027 to 2028). For how Northbeams helps you meet frameworks such as the EU AI Act, ISO 42001, and SOC 2 for your own audits, see Compliance. For the wider picture, visit our Trust Center. [TODO: confirm with Joe: penetration-test vendor name and date, and whether a summary letter can be shared under NDA.]

Reporting a vulnerability

If you believe you have found a security issue, email privacy@northbeams.com and we will respond. Please give us enough detail to reproduce the issue, and give us reasonable time to fix it before any public disclosure. [TODO: confirm with Joe: a dedicated security@ alias and a written disclosure policy.]

See the whole trust picture.

Security, privacy, sub-processors, and compliance, in one place.

Visit the Trust Center Book a demo