Brave earns SOC 2 Type II attestation for Brave Search API

Brave’s mission is to build a user-first Web—everything we do is built upon the strongest principles of security and privacy. This includes our development of end-user tools like the Brave browser and Brave Search engine, where we apply stringent controls and the highest internal security standards to ensure our users are protected, even from us.

This high standard also extends to our business products, including the Brave Search API, a developer tool for building applications with data from the Web, powered by Brave’s independent search index.

Recently, the Brave Search API underwent a thorough external audit, and earned our first SOC 2 Type II attestation. SOC 2 will give Brave Search API customers the confidence that one of the primary data sources they rely on to conduct their business has been independently verified as operating according to an industry-standard benchmark for security.

What is SOC 2?

SOC 2 is a voluntary compliance standard created by the American Institute of Certified Public Accountants (AICPA) to help service-providing organizations like Brave protect customer data and manage internal controls. SOC 2 evaluates how well an organization safeguards data through a rubric called the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

SOC 2 compliance is often required by customers and partners to ensure strong data protection practices are in place. It helps customers—in this case partners that use the Brave Search API to build products like AI and search apps—assess the risk associated with our service.

What is the process to get SOC 2 attestation?

To complete the audit and SOC 2 Type II attestation, we didn’t need to change how we normally work or develop. Instead, we needed to document the security controls we already use every day, including how we manage access to internal systems and code repos; how we respond to incidents and outages; how we monitor systems and infrastructure; and how we continue to monitor and assess new risks and threats to our service.

The audit (which took place over an observation period of three months) looked at how well our security practices actually work in real life across our systems. This involved meetings with Brave staff, checking our technical processes, and reviewing our documentation. Prescient Security, an independent auditing company that’s well-known in the tech industry, oversaw the effort. In preparation for the audit, the Brave Search API also underwent an external network penetration test and a Web service penetration test, both performed by Secure Network. They found one low-severity issue that has since been remediated.

In summary, our internal security practices were closely examined, and found to be as secure, stable, and resilient as we strived for them to be.

Why does SOC 2 matter for Brave Search API customers?

Many enterprise customers require SOC 2—it makes the process of security and privacy diligence smoother and easier to verify against an objective, third-party standard. For Brave, SOC 2 verifies our Search API security controls against the review of an independent auditor.

How long did it take to earn the attestation, and how often will the Brave Search API be audited?

An independent auditor verified our security controls, which happened over an observation period of three months. From here on, we will undergo a yearly audit to ensure continued SOC 2 Type II compliance.

What’s in the final SOC 2 report, and where can I view Brave’s SOC 2 audit?

Brave’s SOC 2 final report is available upon request under a non-disclosure agreement (NDA) on our trust center. We will also add details of our attestation to the security page in the Search API dashboard, which is available for all Search API customers.