AI access to engineering data, built to be audited
bomrail exists to let AI agents read your PLM, ERP and MES systems. We are acutely aware of what that sentence sounds like to a quality manager, a CFO, or anyone who has been through an export-control review. This page is the plain-language version of how we make that access safer than the spreadsheets and CSV exports it replaces — because that is the bar, and it is lower than people think: exports have no access log, no scope, and no revocation.
Read-only by default
Every bomrail connection starts with zero write capability. The MCP tools we expose for each system are reads: fetch a work order, walk a BOM, check a bill's status. An agent connected to bomrail can answer anything its scope allows and change nothing — there is no tool for it to call that mutates your data, which is a stronger guarantee than a policy asking it nicely.
Write actions exist only on the Growth plan, only for operations you explicitly enable, and only behind per-action human approval: the agent proposes ("draft this change notice to the supplier"), a named person approves that specific action, and only then does it execute. There is no configuration in which an agent writes to your systems unattended.
A complete audit trail
Every tool call is logged: the authenticated user whose session asked, the tool invoked, the arguments, the timestamp, the source system, and a hash of what was returned. Logs are exportable, so AI access shows up in your quality system as a documented, controlled interface — the kind of thing an AS9100 or ISO 9001 auditor can be walked through rather than surprised by. Retention is 30 days on Starter and unlimited on Growth.
Scoped, revocable connections
Systems are connected via OAuth or dedicated read-only roles that you create — bomrail never asks for an admin API key. What agents can reach is bounded twice: by the grant's scope in the source system (a NetSuite role, a Duro workspace selection, Xero's consent screen) and by which bomrail tools your plan and settings expose. Pull the grant at either layer and access ends immediately. Credentials are encrypted at rest; your team members never see or handle them.
ITAR and the self-hosted deployment
If your data is export-controlled, the conversation is different, and it should be: ITAR technical data does not belong on someone else's multitenant cloud, whatever the policy PDF says. For that case bomrail ships as a self-hosted deployment — the same MCP servers, tools and audit trail, running entirely inside your VPC or on-prem perimeter. No engineering data, credentials or logs leave your boundary; bomrail the company never has access. CMMC-aligned environments follow the same path. This is a first-class deployment mode, not an enterprise afterthought — it is on the pricing page as its own tier.
What we deliberately don't do
- No training on your data — yours or anyone's. bomrail is plumbing, not a model.
- No replicated warehouse of your records. Live reads only; the audit log is metadata, not content.
- No shared credentials. One scoped grant per system, never per-user API keys floating in chat.
- No silent writes. Ever. Read-only default, human approval per write action where writes exist at all.
Security FAQ
Does bomrail store our engineering data?
No. bomrail reads your systems live at question time and does not retain the records it reads. What we do keep is the audit log: metadata about each tool call (who, which tool, arguments, timestamp) and a hash of the response — enough to reconstruct what was accessed, without warehousing your data.
How are credentials handled?
Each system is connected once by an admin via OAuth or a scoped service role — never by pasting API keys into chat. Grants are encrypted at rest, scoped to the minimum permissions the tools require, and revocable at any time from the source system or from bomrail.
Can an AI agent modify our PLM, ERP or accounting data?
Not on default settings. Every connection starts read-only. On the Growth plan you can enable specific, narrowly-defined write actions (like drafting a purchase order change notice) — and each execution requires a named human to approve that exact action before anything is sent.
What about prompt injection — a malicious record tricking the agent?
Read-only defaults are the primary containment: a manipulated agent that can only read can leak within its scope but cannot alter your systems. Scoped connections bound the blast radius further, and the audit trail makes any anomalous access pattern visible after the fact.
Where is the SOC 2 report?
In progress, not in hand — we say "SOC 2 roadmap" deliberately. Controls are being built to Type II expectations from the start, and design partners get access to our current security documentation and the audit timeline under NDA.
Security questions we haven't answered here: hello@bomrail.com. Design partners receive our full security documentation under NDA.
Bring your security team
Design partners get direct access to the founder for security review — architecture walkthroughs, documentation, and the SOC 2 timeline under NDA.
Apply for early access