Skip to main content
Your research data is sensitive. Bower is built with security at every layer — from how data is stored and transmitted, to how access is controlled and audited.

Encryption

In transit

All data between your browser and Bower’s servers is encrypted using TLS. This includes:
  • Every API request and response
  • File uploads and downloads
  • Real-time WebSocket connections
  • Voice and video streams in live agent mode
There is no unencrypted path to Bower’s infrastructure.

At rest

All data at rest is encrypted using AES-256:
  • Database — all notes, collections, metadata, and user records are encrypted at the storage layer.
  • File storage — all uploaded files (images, audio, PDFs, documents) are encrypted at rest.
  • Backups — database backups are encrypted automatically.
Encryption keys are managed by the cloud infrastructure and are not accessible to application code.

Workspace isolation

Workspaces are fully isolated at the database level — not just in the UI.
  • Every database query is scoped to the current workspace. There is no API endpoint that can return data from a workspace you don’t belong to.
  • Workspace membership is verified on every request before any data is returned.
  • Files are stored in workspace-scoped paths and are only accessible via time-limited signed URLs (24-hour expiry).
  • Bird and search are scoped to your current workspace. They cannot access data from other workspaces.
This isolation is enforced in middleware, not application logic — it cannot be bypassed by a misconfigured route or a new feature.

Authentication and access control

  • Token verification — every API request includes a signed authentication token that is verified server-side before any data is returned.
  • Email verification — unverified email addresses are blocked from accessing workspace data.
  • Token expiry — expired or revoked tokens are rejected immediately.
  • Role-based access — four roles (Owner, Admin, Member, Viewer) with a strict hierarchy enforced at the API level.

Audit trail

Every create, update, and delete action in your workspace is logged with:
  • Who performed the action
  • What changed (field-level diffs with before and after values)
  • When it happened
  • The IP address and user agent of the request
Audit logs are accessible from Settings > Security > Audit logs and can be exported to CSV. See the audit logs guide for details.

AI processing

When Bower processes your data — voice transcription, photo text extraction, or Bird conversations — the content is sent to AI model providers for inference. Your data is processed to provide the service and is not used to train AI models.

Deletion

Deletion in Bower is permanent:
  • Deleted notes and attachments are removed from the database and file storage immediately. There is no trash or recovery period.
  • Deleting a collection removes all artifacts and sub-collections within it.
  • Deleting your account removes your profile and all workspaces you own.
If you need to preserve data for compliance or audit purposes, export it before deleting.

Your responsibilities

  • Do not store credentials, passwords, or access tokens in notes.
  • Use workspace roles to control who can access your data.
  • Review the audit logs periodically if your workspace handles sensitive research data.
  • Use a strong, unique password for your Bower account.