Skip to content
braincell.sh

Security, described honestly.

Every project runs in an isolated sandbox on dedicated hosts, every change is verified and snapshotted, and everything you build stays exportable. No compliance theatre - just the controls that actually exist.

braincell/Workspace · Security
SOC 2 Type II
SSO · SAML / SCIM
Enabled
Data residency
EU-West
Audit log export
S3 + webhook
Per-tenant encryption
AES-256
Per-project
Isolated sandbox containers
1 click
Full code + history export
0
Private projects used for training
Controls

What ships with every plan.

No lock-in

Your project exports as a complete working codebase any time, and your full activity history exports as CSV. Leaving is always one click away.

Isolated sandboxes

Generated code runs in its own container on a dedicated sandbox host - never on the machines that serve the app or store user data. gVisor kernel isolation supported.

Encryption in transit

TLS on every connection: the app, every project preview URL, every deployment.

Sessions & access

HTTP-only session cookies via Better-Auth, GitHub OAuth or email + password. Admin surfaces are role-gated server-side.

Audit log export

Every agent turn, deployment, and credit movement is exportable as CSV from your account. Self-serve, any time.

Payments by Stripe

Stripe handles every card. We never see or store card numbers - only a customer token and the last four digits.

For security teamsStraight answers

Running a vendor review?

Send your questionnaire to security@braincell.sh and you'll get answers from the people who wrote the code, typically within 24 hours on weekdays. A signed DPA (GDPR / UK-GDPR) is available for paid plans via legal@braincell.sh.

Security questions.

No. Private projects are never used to train shared models. The only models that touch your code are the inference calls you explicitly trigger.

Build with confidence.

Isolated sandboxes, verified changes, exportable history - and the source code to prove all three.