Enterprise-grade security from day one.
Bem ships into the security posture your customers and auditors already expect. SOC 2 Type II, HIPAA, GDPR. Multi-tenant cloud, Private Link, or on-premise. Zero retention and end-to-end encryption on every call.
Procurement-ready from your first call. DPAs, BAAs, SIG, and pen-test summaries available on request.
Verified by independent auditors.
Continuous monitoring, annual third-party audits, and external penetration tests against every public surface. Reports and SIG questionnaires available under NDA.
Built for regulated industries.
Healthcare, financial services, insurance, and logistics buyers run security reviews on bem the way they would on Snowflake or Databricks. We pass.
Deploy where your data lives.
Three deployment models. The same API, the same SDKs, the same observability. Pick the isolation level that matches your governance, then ship.
Multi-tenant cloud
Pay-as-you-go, start in minutes. Logical isolation per organization. 99.99% uptime SLA. US and EU regions.
Private Link
Dedicated single-tenant connectivity. AWS PrivateLink and Azure Private Link. No traffic on the public internet.
On-premise / VPC
The full bem inference engine and API gateway in your Kubernetes cluster or air-gapped environment. Data never leaves your perimeter.
We process your data. We don’t own it.
Bem is architected to minimize liability. The default posture assumes your data is sensitive and never needs to be retained beyond the request that produced it.
Zero retention
Configure pipelines to process data transiently. Bem ingests, transforms, returns structured output, then purges the source file and intermediate state.
End-to-end encryption
TLS 1.3 in transit. AES-256 at rest. Keys rotated on a fixed schedule with strict access controls enforced via AWS KMS.
Key management
Customer-managed keys (CMK) available on Private Link and on-premise deployments. Bring your own KMS for full control over the cryptographic boundary.
Data residency
Pick US or EU at the workspace level. EU/EEA traffic stays on EU endpoints with EU data sovereignty for GDPR-bound workloads.
Security is a team property.
Controls covering the people, processes, and vendors behind the platform. The same checks your internal security team runs on every new SaaS purchase.
Background checks
Mandatory background checks and security awareness training for every employee and contractor.
Least privilege
Production access is granted on a strict need-to-know basis. Ephemeral credentials. MFA enforced. Quarterly access review.
Audit logging
Every function call, schema change, and admin action is logged with actor, timestamp, and payload reference. Exportable to your SIEM.
Vendor management
Critical subprocessors reviewed annually for security and privacy posture. DPAs on file. Subprocessor list published on request.
Read the trust center.
Need the SOC 2 report, the penetration test summary, the SIG questionnaire, or the full subprocessor list? Talk to sales. The document package ships under NDA within one business day.