Bureau is a young, bootstrapped startup. We've put serious engineering into security from day one — and we'll be candid about what we haven't built yet. The next sections walk through both, plainly, so a security team can make an informed decision before signing up.
Every tenant-scoped table — articles, journalists, beats, runs, llm_calls, tenant_secrets, tenant_dek, voices, task_assignments, sources, podcasts, episodes, subscribers — has an RLS policy: tenant_id::text = current_setting('app.current_tenant_id', true). The middleware sets that variable from the request's resolved tenant. A buggy handler can't leak across tenants.
Master KEK in environment (loaded via systemd EnvironmentFile). Per-tenant DEK generated at tenant creation, encrypted by KEK, stored in tenant_dek. Provider keys (Gemini, OpenAI, Anthropic, Perplexity, ElevenLabs) encrypted by tenant DEK in tenant_secrets. AES-256-GCM with random nonces. Decrypt at use time, never logged.
Tenants pick the sign-in flow that fits their team. Every account supports password reset by signed email link; Google sign-in skips the password entirely; TOTP-based two-factor authentication is available on every account, and ten one-time recovery codes are generated when MFA is enrolled so a lost phone doesn't lock anyone out.
Argon2id-hashed passwords (memory-hard, side-channel-resistant). Lost-password flow uses a signed token mailed to the verified address; tokens expire in 30 minutes and are single-use.
OAuth 2.0 with state-bound CSRF tokens. We never see the Google password. The first sign-in establishes the account; subsequent sign-ins skip the password screen entirely.
Standard authenticator-app support — 1Password, Authy, Google Authenticator, etc. Once enrolled, every sign-in adds a six-digit code step. Ten one-time recovery codes are issued at enrolment and stored as Argon2id hashes; each is consumed on use.
When the Brief tier reaches into your Gmail, Slack, or CRM, the raw payload is briefed by the LLM, the brief is kept, the raw is dropped. You can opt into payload retention per source — but the default is "the journalist's framing of what happened, not the underlying data."
Briefs, summaries, source metadata (timestamps, item counts), aggregate cost telemetry, structured logs of every credential read.
Raw email bodies, Slack messages, deal notes, PR diffs, calendar attendees beyond their name. Dropped after the brief is composed.
Per-source flag: retain_payloads = true keeps the raw payload for re-briefing later (useful for Postgres or Webhook sources where the payload is the data, not PII).
Bureau is a young, bootstrapped startup. We won't claim a SOC 2 audit, an ISO certification, or a formal pen-test program until we have one to show you. Here is the honest picture.
If your security team requires a SOC 2 report, a signed BAA, a vendor questionnaire, or a custom deployment, we'll work with you on a custom Enterprise arrangement.
Bureau is not a HIPAA-cleared data processor. Bureau is not in PCI scope. The Brief tier is for business intelligence — not for storing patient health records, payment card data, or other regulated content. Enterprise customers who need that posture should write us and we'll talk about a dedicated deployment.
If this page hasn't answered your security team's questions, write to enterprise@bureau.news — we'll respond, in writing, with whatever specifics you need.
Start a free trial →