Biotech data deserves
biotech-grade handling.
How we protect your researchers, your mailboxes, your credentials, and your customer relationships.
Foundations
Security fundamentals, built in.
Encryption at rest + in flight
AES-256 for data at rest. TLS 1.3 for data in transit. Mailbox credentials sealed with per-tenant envelope encryption so a DB dump is useless.
SSO + SAML + SCIM
Enterprise customers use Okta, Azure AD, Google Workspace, or OneLogin. SCIM provisioning keeps seats in sync with your IdP automatically.
Role-based access
Admin, Manager, Rep, Read-only roles. Principle of least privilege enforced across the app. Full audit log of role changes.
Your data is yours
Zero training on customer data. No AI vendor retention of prompts or outputs. Full export and deletion on request — typically within 48 hours.
Audit logs
Every admin action, every data export, every credential change — logged, retained, and exportable. SIEM pipeline integration on Enterprise.
Infrastructure hygiene
All production services behind authenticated endpoints. Principle-of-least-privilege IAM. Automated secret rotation. Continuous dependency scanning.
Security posture
LiveProduction-grade
For biotech data that deserves it
Compliance posture
Where we are, where were going.
We're building toward an enterprise-ready compliance program. Here is honest current status — we update this page when posture changes.
- SOC 2 Type II: on audit path, target completion 2026 Q4
- GDPR: compliant data handling today; DPA available on request
- HIPAA: not currently in scope (we do not process PHI)
- Data residency: US by default; EU-only residency on Enterprise
- Penetration testing: annual, reports available under NDA
Institution mix
Your TAM12,852 institutions
Classified via OpenAlex + ROR
Vendors & subprocessors
The services we share data with, listed.
Beanstalks relies on a short list of infrastructure vendors. Every one has a DPA and a security review on file. Customers can review the list in full and opt out of specific processors where operationally possible.
- Supabase — primary Postgres database (US-East)
- Render — backend compute hosting
- Netlify & Vercel — static frontend hosting
- Anthropic — AI generation (zero retention on customer prompts)
- Mailivery — mailbox warmup (white-labeled, no customer data exposure)
- Stripe — payment processing (no card data touches our servers)
30-day trends
HealthyOpens
41%
+12%
Replies
8.2%
+8%
Bounces
1.1%
-0.2%
Per-Stalk, per-rep, per-mailbox rollups
Incident response
What happens when something goes wrong.
We have a 24x7 on-call rotation for critical incidents. The playbook: detect → contain → notify affected customers within 24 hours → post-mortem published within 7 days. Every incident gets the same process regardless of blast radius.
- On-call rotation: 24x7 for severity-1, business hours for severity-2
- Customer notification: within 24 hours of confirmed incident
- Public post-mortem within 7 days (on non-customer-data incidents)
- Annual tabletop exercise for team readiness
Knowledge base
4 docsProduct one-pager.pdf
Parsed · Positioning
CAR-T case study.pdf
Parsed · Proof point
App note — oncology.docx
Parsed · Use case
Pricing sheet.pdf
Parsing
For legal review
Documents your team probably needs.
If youre taking Beanstalks through InfoSec or procurement, these documents are available on request. Email security@beanstalks.io and we will route to the right person.
- Data Processing Agreement (DPA)
- Subprocessor list (full, updated)
- Standard Contractual Clauses (SCCs) for EU data
- Penetration test report (under NDA)
- Our completed CAIQ security questionnaire