Security Details

Breeze IP is hosted on Amazon Web Services (AWS) within the EU region. AWS data centers meet the highest standards for physical security and are certified under multiple compliance frameworks including SOC 1/2/3, ISO 27001, and ISO 27017.

Our infrastructure uses network isolation, firewalls, and continuous monitoring to protect against unauthorized access. We architect our systems for high availability and maintain redundancy across services.

Primary platform data is stored at rest within the European Economic Area (EEA). Where customers enable specific integrations or AI-assisted features, limited data may be processed by approved sub-processors outside the EEA. In those cases, appropriate safeguards under GDPR Chapter V apply, including Standard Contractual Clauses (SCCs) and contractual data protection commitments.

All client data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. We enforce HTTPS across all communications.

We maintain regular automated backups and have disaster recovery procedures in place to ensure business continuity. Clients can request data export or deletion at any time.

Breeze IP implements role-based access control (RBAC), allowing organizations to define granular permissions for different user roles. This ensures users only have access to the data and functions relevant to their responsibilities.

We support enterprise single sign-on (SSO) via SAML integration, enabling organizations to use their existing identity providers. Multi-factor authentication (MFA) is supported to add an extra layer of security.

Session management includes automatic timeouts and secure session handling to protect against unauthorized access.

Breeze IP uses AI capabilities to help automate document processing and streamline IP management workflows. We currently use OpenAI and Anthropic as AI sub-processors.

AI features are customer-controlled and opt-in. AI-assisted features are enabled at the customer or workflow level — no AI processing occurs on customer data unless the customer has enabled it. Customers can choose to enable AI for specific parts of their portfolio while keeping other data untouched. AI features are clearly identified in the platform.

Where Breeze IP acts as a processor, AI processing is performed on the customer controller's instructions under the customer agreement (including DPA). Where Breeze IP acts as a controller, applicable legal bases are described in the Privacy Policy.

AI sub-processors are contractually restricted from using client data for model training. We have opted out of data training programs with all providers and maintain data processing agreements that ensure client data is handled with strict confidentiality. Provider data handling and retention terms are governed by these agreements and configuration controls. Detailed sub-processor and transfer documentation is available upon request and can be shared under NDA where required. Please contact post@breezeip.com.

This transfer model — EEA-resident storage with AI processing by US-based providers under SCCs — is common across SaaS products that use global AI infrastructure, including EU-based vendors.

AI sub-processor details last reviewed: March 2026.

Currently in place:

• AES-256 encryption at rest, TLS 1.2+ in transit
• Role-based access control (RBAC) with SSO/SAML support
• Audit logging of key platform actions
• Data Processing Agreements (DPAs) with all sub-processors
• International transfer safeguards (SCCs) for non-EEA sub-processors
• Primary data storage within the EEA
• Records of Processing Activities (ROPA) maintained
• Data Protection Impact Assessment (DPIA) completed for AI features

Compliance roadmap:

• SOC 2 Type II — actively pursuing
• ISO 27001 — actively pursuing

Breeze IP is designed for GDPR compliance. We have implemented concrete technical and organizational measures aligned with its core principles:

• Data minimisation & purpose limitation — we only collect and process data necessary for delivering our services.
• Storage limitation — primary platform data resides within EEA data centers. Where customers enable AI-assisted features, limited data may be processed outside the EEA under appropriate safeguards.
• Integrity & confidentiality — AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, and SSO/SAML support.
• Data subject rights — clients can request data export or deletion at any time by contacting us.
• Processor agreements — data processing agreements are in place with all sub-processors, including AI providers.

We are committed to transparency about our compliance journey and will update this page as we achieve new milestones.

Breeze IP maintains audit logging to track key actions within the platform, including authentication events, data access, and administrative changes. Audit logs are retained for a minimum of 12 months.

We maintain automated daily backups with recovery procedures designed to minimize data loss and downtime in the event of an incident. Our recovery objectives target a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) appropriate for the nature of the incident, with priority given to restoring critical platform services.

In the event of a confirmed personal data breach, we follow a documented incident-response process. This includes timely notification to affected customers in accordance with applicable customer agreements and, where required by GDPR Article 33, notification to the relevant supervisory authority within 72 hours of becoming aware of the breach.

We conduct vulnerability assessments on a regular basis and perform annual penetration testing against our production environment. Our development team follows secure coding practices and monitors for security advisories affecting our technology stack.

Sub-processor security is reviewed at least annually and whenever a material change is proposed. Customers are notified of sub-processor changes before they take effect, in accordance with applicable customer agreements.

For security or compliance inquiries, contact us at post@breezeip.com.

Our team follows security-conscious practices including the principle of least privilege for internal access. Employees receive security awareness training and understand their role in protecting client data.

We follow secure development practices throughout our software development lifecycle, including code reviews and dependency monitoring.