Beings — Security Overview

Beings Beam Ltd (Companies House no. 13484197), trading as “Beings”. Last revised: May 2025.

Beings is a model-agnostic platform for building, running, auditing, and governing AI agents, with sandboxed execution and human-in-the-loop control. This overview summarises our security posture. Full audit reports and certificates are available to customers under NDA; our Data Processing Agreement and Privacy Policy govern the detail.

Certifications & compliance

  • ISO/IEC 27001 — information security management
  • SOC 2 Type II — security, availability, and confidentiality
  • HIPAA — Business Associate Agreement available where PHI is processed
  • Cyber Essentials
  • UK & EU GDPR — compliant; Beings acts as processor for Customer Content (controller only for limited account, billing, and support data)

Reports and certificates available to customers under NDA.

Data handling

  • Zero-training guarantee. Customer Content (prompts, files, outputs, embeddings) is never used to train, fine-tune, or improve foundational, public, or cross-tenant models.
  • No secondary use. Customer Content is processed only to deliver the Services, plus a narrow security/abuse-monitoring carve-out — never for analytics, shared datasets, or improving the service for other customers.
  • Minimal provider retention. Prompts traverse the contracted model-provider endpoint for inference only; where the provider supports zero-retention no copy is retained, otherwise the payload is subject only to that provider’s short anti-abuse caching window, and is never used for training.

Tenant isolation & architecture

  • Cloud deployments are single-tenant and customer-dedicated; self-hosted, sovereign, air-gapped, and local-first deployments run on the customer’s own infrastructure.
  • Agent silos are sandboxed with separate data stores, a credential boundary, and role/purpose-based access controls; cross-tenant access is structurally prevented.

Encryption & access control

  • In transit: TLS 1.3 (or equivalent strong protocols). At rest: AES-256.
  • Secrets and customer-provided API keys (BYOK) are held in dedicated secret vaults / HSMs and never written to logs.
  • Least-privilege, MFA, and just-in-time access; no standing access to Customer Content. Access is logged and staff are bound by confidentiality undertakings.

AI-specific safeguards

  • Human-in-the-loop approval gate for mutating actions, with the ability to intercept, amend, or cancel agent execution.
  • Real-time prompt-injection mitigations before payloads enter the agent execution loop.
  • Model-agnostic routing; foundation-model providers are engaged under enterprise terms that prohibit training on Customer Data.

Sub-processors

  • The platform is model-agnostic; the providers engaged for a given deployment are specified in the Agreement.
  • A current sub-processor list is available to customers on request and is maintained under the DPA (advance notice of changes, with a right to object). Customer-Provisioned Models (BYOK) are not Beings sub-processors.

Monitoring, resilience & incident response

  • Continuous monitoring, vulnerability scanning, and annual third-party penetration testing. Operational logs contain no Customer Content.
  • Encrypted backups with disaster recovery; backup copies are isolated and securely deleted on the standard cycle.
  • Personal data breaches affecting Customer Content are notified to the customer without undue delay and, in any event, within 72 hours of confirming a breach.

Data residency, retention & deletion

  • Region and data residency are configured per deployment (UK / EU / other), with international transfers protected by the UK IDTA/Addendum, EU SCCs, and Swiss (FDPIC) amendments as applicable.
  • Customer-controlled retention; on termination, Customer Content held in Beings’ systems is deleted within 30 days, save for records Beings must retain by law.

Audit & assurance

  • Review of Beings’ current SOC 2 Type II and/or ISO/IEC 27001 reports satisfies the customer’s audit rights under the DPA. Reports are provided under NDA.

Contact

Security and data protection enquiries: trust@beings.com · Beings Beam Ltd, 7 Bell Yard, London, England, WC2A 2JR.

Login

Try for free