Security
BRIA handles sensitive due-diligence queries. This page summarises how we protect API access, what we log, and how we align with Kenya's Data Protection Act — without publishing operational details that would help an attacker.
API access
Production API calls require a secret key sent in the
Authorization: Bearer header. Keys are issued per customer during
pilot or contract onboarding — not shared across organisations.
Keys carry configurable rate limits to prevent abuse and contain blast radius if a key is exposed. Contact us to rotate a compromised key immediately.
All API traffic is encrypted in transit over TLS. Do not send keys over email or chat — use the secure channel we provide at onboarding.
The public live demo uses a separate, rate-limited endpoint. Production keys never work on the demo page and vice versa.
What we log
We retain enough metadata to operate the service, detect abuse, and answer audit questions — not the full text of every API response.
- Logged: API key identifier (not the secret), company names queried, timestamps, HTTP status codes, and volume metrics.
- Not logged for analytics resale: we do not sell or license your query history to third parties.
- Response bodies: we do not persist full JSON responses in application logs by default.
Retention periods and lawful bases for processing are set out in the Privacy Policy.
Data handling
- Public-record foundation — risk flags cite authoritative sources; we archive raw documents as part of our ingestion pipeline.
- Customer account data — names, work emails, and pilot agreement details are stored only as needed to deliver the service.
- Sub-processors — cloud infrastructure providers may process data on our behalf under contract; details are listed in the Privacy Policy.
- Cross-border transfers — where data leaves Kenya, we apply safeguards described in our privacy documentation.
Kenya Data Protection Act
BRIA Intelligence Ltd is registered in Kenya and processes personal data under the Data Protection Act, 2019. Data-controller registration with the ODPC is in progress, and a Data Protection Officer will be appointed before general public launch. You may exercise access, correction, and erasure rights as described in the Privacy Policy.
Disputes and corrections
If a screening result matched the wrong entity or cited a record you believe is wrong or out of date, use our contact form or email pilot@bria.co.ke. We acknowledge requests within one business day and aim to respond within 48 hours. Full process detail is in the Privacy Policy.
Reporting a security concern
If you suspect unauthorised use of your API key, or have a security question for a pilot or enterprise agreement, email security@bria.co.ke or use the contact form. We respond to key-rotation requests as a priority.