Trust Center

Where we are. Where the data sits. Who has access.

Northbeams is built privacy-first. The classifier runs inside the browser. The original prompt text never leaves the device. SOC 2 Type II readiness is underway with no third-party attestation yet in force. Below is exactly where everything stands today.

01 / Status

Compliance posture, today.

SOC 2 Type II

Readiness Report targeted Q4 2027

Scope: Security, Availability, and Confidentiality. Observation window opens Q3 2026 and runs 12 months. No third-party attestation is yet in force. Trust report and policy pack available to qualified prospects under NDA today.

GDPR

Live Privacy by design

Designed in alignment with GDPR Art. 25 (privacy by design) principles. EU data residency available on Fleet. Standard DPA on request. The architecture means there is almost no personal data to process: original prompt content stays on the user's device.

EU AI Act

Live Article-aligned evidence pack

Northbeams ships an evidence pack structured around Articles 9, 10, 12, and 13. Available on Sentinel and Fleet. Mapping has not been third-party assessed.

HIPAA

Roadmap Healthcare tier in design

Architecture supports HIPAA technical safeguards under 164.312. A HIPAA-eligible plan with Business Associate Agreement is on the roadmap, not yet available. Healthcare prospects, contact security@northbeams.com.

ISO 27001

Planned 2028

Scoped after SOC 2 Type II completes. Control objectives are informed by ISO 27001 today. Customers requiring ISO before our certification can request the SOC 2 evidence pack.

02 / Architecture

Privacy by architecture, not policy.

Classifier runs in-browser

The Northbeams browser extension classifies every prompt locally. The prompt text itself never leaves the user's device. Only category labels, redacted snippets, and policy events are sent to the dashboard.

MCP arguments stay on-device

The MCP Gateway is a local stdio proxy. It classifies every MCP tool argument on the user's laptop and sends only categorical labels (credentials, PII, source code, legal terms, customer data) and a sha256 hash to the dashboard. The argument values themselves never leave the device.

No proxy. No MITM.

Northbeams does not intercept network traffic. There is no proxy, no TLS-stripping certificate, and no on-prem appliance. There is nothing in the network path that could be a single point of failure or a privileged target.

Encrypted at rest and in transit

All metadata in the dashboard is encrypted in transit (TLS 1.3) and at rest. Customer data is logically isolated per tenant. Audit logs are immutable on Sentinel and Fleet.

Sub-processors

The current list of every third-party service that processes customer data lives at /sub-processors, with purpose, region, and certifications per vendor. We notify subscribed customers at least 30 days before changes.

Data residency

US-region by default. EU-region available on Fleet. We do not move customer data between regions.

Retention

Default audit-log retention varies by tier (90 days on Lighthouse, 1 year on Sentinel, 7 years on Fleet). Customers can configure shorter retention to meet local data minimisation requirements.

What happens to your data if Northbeams shuts down?

Your data is yours. If we ever wind down the service, we will send every workspace owner a 90-day advance notice with a full JSON export of their audit logs, tool inventory, policies, and user records. Exports are also available on demand at any time from the Settings page. We will not delete your data until you have confirmed receipt of the export or the 90-day window expires, whichever comes later.

Cancellation and deletion

Cancel from the in-app billing portal at any time. You keep paid features through the end of your billing period. After full cancellation, we delete workspace data within 30 days, including incidents, audit logs, policies, and user records. We retain only what we are legally required to keep for tax and financial records.

Vulnerability disclosure

We maintain a coordinated disclosure policy with a safe-harbor commitment for good-faith security research. If you find a vulnerability, email us before publishing. We acknowledge within one business day and aim to patch within 30 days for critical findings.

security@northbeams.com →

security.txt →

Full disclosure policy and safe harbor →

Vendor questionnaires, sub-processor requests, and DPA/BAA copies also go to security@northbeams.com. We reply within one business day.