Security you can actually trust
Your research is your intellectual property. We built Bibby from the ground up with enterprise-grade security, zero-knowledge encryption, and a clear compliance roadmap — so you can focus on science, not security worries.
Our Security Principles
Six non-negotiable commitments we make to every researcher who trusts us with their work.
Zero-Knowledge Architecture
Your research documents are encrypted with keys only you control. We have zero ability to read your content — not even our own engineers.
End-to-End Encryption
AES-256 encryption at rest and TLS 1.3 in transit. Data is protected from the moment you type to the moment it's stored.
Your Data, Your Keys
Encryption keys are controlled by you, not us. Even a court order couldn't give us access to your research without your cooperation.
No AI Training on Your Data
Your research never trains any AI model — ours or anyone else's. We use pre-trained models that never learn from your documents.
Compliant Infrastructure
Every data center and provider we use is SOC 2 Type II certified and HIPAA compliant. We don't cut corners on infrastructure.
Isolated Data Environments
Each user's data is logically isolated. Multi-tenant architecture uses strict row-level security so your data never bleeds into another account.
Compliance Status
A transparent view of our current certifications and our roadmap for organizational attestations.
Organizational SOC 2 & HIPAA — Target: Q3 2026
While our entire infrastructure runs on SOC 2 and HIPAA compliant providers, we are actively completing our own organizational audit. Our engineering and legal teams are working with a third-party auditor to finalize attestation.
Our cloud providers (AWS/GCP) are SOC 2 Type II certified. All data is stored in certified data centers.
Infrastructure and AI subprocessors (Gemini) are fully HIPAA compliant with signed BAAs.
Full GDPR compliance for EU researchers — right to access, export, and erasure.
All data is encrypted in transit and at rest with bank-level encryption standards.
Target: Q3 2026. We are undergoing the audit process for our own organizational attestation.
Target: Q3 2026. Formal certification in progress alongside our SOC 2 audit.
Subprocessors & Infrastructure Partners
We are fully transparent about every third-party service that may process your data. We only partner with best-in-class, compliant providers.
| Provider | Purpose | Region | Compliance | Details |
|---|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, storage, compute | US / EU | SOC 2 Type IIHIPAAISO 27001GDPR | View |
| Amazon Web Services (AWS) | Cloud infrastructure and CDN | US | SOC 2 Type IIHIPAAISO 27001GDPR | View |
| Gemini AI (Google) | AI language model processing | US | HIPAASOC 2Zero data retention | View |
| Supabase | Authentication and database | US | SOC 2 Type IIGDPR | View |
| Vercel | Frontend hosting and edge delivery | Global | SOC 2 Type IIGDPR | View |
Vulnerability Disclosure
We believe in responsible disclosure. If you discover a security vulnerability in Bibby, please contact our security team directly. We commit to acknowledging your report within 24 hours and providing a resolution timeline within 72 hours.
[email protected]Incident Response
In the event of a security incident, we will notify affected users within 72 hours in compliance with GDPR Article 33. We maintain a dedicated incident response plan with defined roles, escalation paths, and communication protocols.
Read our Privacy Policy →Questions about security?
Our security team is available to answer any questions from researchers, IT administrators, or enterprise procurement teams. We welcome detailed technical inquiries.