Security

BRIA handles sensitive due-diligence queries. This page summarises how we protect API access, what we log, and how we align with Kenya's Data Protection Act — without publishing operational details that would help an attacker.

Full legal detail is in our Privacy Policy. For integration specifics, see the API docs.
ODPC registration in progress. BRIA Intelligence Ltd is completing data-controller registration with Kenya's Office of the Data Protection Commissioner. A Data Protection Officer will be registered before general public launch.

API access

Key-based authentication

Production API calls require a secret key sent in the Authorization: Bearer header. Keys are issued per customer during pilot or contract onboarding — not shared across organisations.

Rate limits

Keys carry configurable rate limits to prevent abuse and contain blast radius if a key is exposed. Contact us to rotate a compromised key immediately.

HTTPS only

All API traffic is encrypted in transit over TLS. Do not send keys over email or chat — use the secure channel we provide at onboarding.

Demo vs production

The public live demo uses a separate, rate-limited endpoint. Production keys never work on the demo page and vice versa.

What we log

We retain enough metadata to operate the service, detect abuse, and answer audit questions — not the full text of every API response.

  • Logged: API key identifier (not the secret), company names queried, timestamps, HTTP status codes, and volume metrics.
  • Not logged for analytics resale: we do not sell or license your query history to third parties.
  • Response bodies: we do not persist full JSON responses in application logs by default.

Retention periods and lawful bases for processing are set out in the Privacy Policy.

Data handling

  • Public-record foundation — risk flags cite authoritative sources; we archive raw documents as part of our ingestion pipeline.
  • Customer account data — names, work emails, and pilot agreement details are stored only as needed to deliver the service.
  • Sub-processors — cloud infrastructure providers may process data on our behalf under contract; details are listed in the Privacy Policy.
  • Cross-border transfers — where data leaves Kenya, we apply safeguards described in our privacy documentation.

Kenya Data Protection Act

BRIA Intelligence Ltd is registered in Kenya and processes personal data under the Data Protection Act, 2019. Data-controller registration with the ODPC is in progress, and a Data Protection Officer will be appointed before general public launch. You may exercise access, correction, and erasure rights as described in the Privacy Policy.

Disputes and corrections

If a screening result matched the wrong entity or cited a record you believe is wrong or out of date, use our contact form or email pilot@bria.co.ke. We acknowledge requests within one business day and aim to respond within 48 hours. Full process detail is in the Privacy Policy.

Reporting a security concern

If you suspect unauthorised use of your API key, or have a security question for a pilot or enterprise agreement, email security@bria.co.ke or use the contact form. We respond to key-rotation requests as a priority.