Inaudity

Sample · Anonymized

This is what
€29 buys.

!

Inaudity report · VG-00427Generating

brightflow-hr.ai

24
Higher risk

Bottom line

A 4-month-old, 2-person AI HR startup processing employee data through OpenAI — too early and too exposed for anything sensitive.

brightflow-hr.ai is an LLM wrapper for HR analytics. The domain is four months old, the team is two people, there is no DPA, no SOC 2, and the privacy policy explicitly allows training on customer inputs. Suitable only for low-stakes pilots with dummy data.

Vendor profile

AI-powered HR analytics platform aimed at European SMBs. Marketed as a way to surface attrition risk, engagement drift and comp anomalies from existing HRIS data, all routed through large language models.

HQ
Delaware, US
Founded
Feb 2026
Employees
2 (LinkedIn)
Funding
€420k pre-seed
Name
brightflow-hr.ai

Who is this suitable for?

Caution advised — avoid for anything sensitive

This vendor is extremely young, has no compliance certifications, processes employee personal data through OpenAI, and shows no evidence of security maturity. Only consider for low-stakes experimentation.

caution

Solo founder / micro business

Worth a 30-day pilot with dummy data only. Do not upload real employee records.

avoid

Small team (5–50)

Missing DPA, SOC 2 and data residency guarantees. Legal exposure is too high.

avoid

Enterprise / regulated industry

No compliance certs, no sub-processor list, AI training opt-out absent. Not viable.

What could go wrong?

Estimated impact: High impact

If this vendor fails, gets acquired, or shuts down:

If brightflow-hr.ai is acquired or shuts down, customer HR data may become inaccessible, no documented migration path exists, and you'd carry the regulatory exposure for any data already processed by their LLM provider.

  • Customer employee data may become inaccessible with no export path.
  • No documented migration process to a successor HRIS or analytics tool.
  • Regulatory exposure from missing DPA and unclear sub-processor chain.
  • Business continuity depends on a 2-person team with ~8 months of runway.

Is this built with AI?

Built on AI
OpenAI (GPT-4o)Pinecone (vector DB)

Core product is an LLM wrapper. The homepage ships an OpenAI client script, marketing copy is built around "AI-powered insights", and the privacy policy reserves the right to use inputs to improve models.

  • Homepage <script> from api.openai.com
  • Privacy Policy §6: "We may use Inputs to improve our models."
  • No public sub-processor list

Scoring breakdown

Security

18/100

No published security page, no SOC 2, no pen-test summary. Single admin on AWS root.

Compliance & legal

12/100

No DPA template, no sub-processor list, vague data-residency claims.

Privacy & data handling

22/100

Privacy policy §6 reserves the right to train models on customer inputs.

Financial stability

29/100

Pre-seed runway estimated at ~8 months. Concentration risk on a single founder.

Operational maturity

46/100

Public changelog and pricing are positives. No status page or SLA.

Reputation & track record

38/100

Founders have no prior security or HR-tech exits. Limited third-party coverage.

AI & data-training risk

25/100

OpenAI script on homepage; no opt-out for training; no model/version disclosure.

Findings (4)

  • Domain registered 4 months ago (Feb 2026)

    operational

    high

    WHOIS shows the brightflow-hr.ai domain was first registered in February 2026 via Namecheap. A vendor this young has no track record under real load and is statistically far more likely to pivot or shut down within 18 months.

    WHOIS · namecheap.com

  • No DPA, SOC 2 or ISO 27001 referenced anywhere on the site

    compliance

    high

    Three pages were scraped — /security, /legal and /privacy — and none reference a Data Processing Agreement template, SOC 2 Type II report, or ISO 27001 certification. For a vendor that processes employee personal data, this is a hard blocker for most EU buyers.

    /security · /legal · /privacy

  • Privacy policy reserves the right to train on customer inputs

    privacy

    high

    Privacy Policy §6 states: "We may use Inputs to improve our models." There is no opt-out flag, no enterprise carve-out, and no published sub-processor list. Any employee data uploaded is in scope.

    Privacy Policy §6.2

  • Founding team has no prior security or HR-tech exits

    reputation

    medium

    Cross-checked both founders on LinkedIn. Backgrounds are in generalist SaaS and growth marketing, with no prior roles in security, compliance, or HR technology. This isn't disqualifying, but it does mean institutional knowledge is thin.

    LinkedIn · 2 profiles

Procurement Call Pack

Ask these on your next call with the vendor. Each question comes with example answers to watch for — red flags to walk away from, and concrete answers that should reassure you.

data security

  • Where exactly is our employee data stored — region, cloud provider, and full sub-processor list?

    Why it matters: Vague answers here usually mean the vendor hasn't actually thought about data residency or doesn't want to commit on paper.

    Red flag answers

    • ❌ "We use a secure cloud provider."
    • ❌ "I'll get back to you on the sub-processor list."

    Good answers

    • ✅ AWS eu-central-1, with a signed BAA and a public sub-processor page.
    • ✅ Named sub-processors with 30-day change notification in the DPA.

compliance

  • Will you sign our DPA, or do we have to accept yours unchanged?

    Why it matters: A vendor that refuses any DPA edits is telling you they have no legal capacity — that breaks the moment GDPR audit season starts.

    Red flag answers

    • ❌ "We don't currently have a DPA."
    • ❌ "Our DPA is non-negotiable."

    Good answers

    • ✅ We'll review your DPA within 5 business days.
    • ✅ We accept standard EU SCCs and Annex II as published.

continuity

  • If you shut down or get acquired tomorrow, how do we get our data out — and in what format?

    Why it matters: Tests whether export tooling actually exists, or is a roadmap item that quietly never ships.

    Red flag answers

    • ❌ "We don't currently support exports."
    • ❌ "You can request a CSV by email."

    Good answers

    • ✅ Self-serve export to JSON and CSV, 30-day retention after termination.
    • ✅ Documented escrow arrangement with a third-party trustee.

Alternatives to evaluate

Looking at brightflow-hr.ai? Compare against these alternatives before committing. Each is scored on security posture, company maturity, and how easy it is to leave.

Leapsome

Mature German HR analytics & performance platform with full DPA, SOC 2 Type II and EU data residency.

Security82
Maturity88
Easy to leave74
leapsome.com

Personio Insights

Established EU HRIS with native analytics. Stronger compliance posture and clearly documented exports.

Security86
Maturity92
Easy to leave68
personio.com

Charthop

US-based but enterprise-ready, with published sub-processors and SCC-backed EU data transfers.

Security78
Maturity80
Easy to leave72
charthop.com

Sources

who.iscrunchbase.comlinkedin.combuiltwith.comhaveibeenpwned.comg2.comtrustpilot.comweb.archive.orggov.ukedpb.europa.eucookiebot.combrightflow-hr.aibrightflow-hr.aibrightflow-hr.aibrightflow-hr.ai

Methodology v0.4-beta · Inaudity

Scanning domain WHOIS records...
Crawling security, legal & privacy pages...
Checking compliance posture against GDPR...
Cross-referencing AI usage & training clauses...
Compiling procurement call-pack...
Full findings, call-pack & alternatives unlock with the report — €29
One scan. One decision. No regrets.

Don't sign that contract blind.

Five minutes and €29 between you and a year of regret. Paste a URL, we'll do the rest.

€29 · one-time Failed scans auto-refund Report in your inbox in 5 min