Security at Builder.io

Builder.io has instituted several technical and organizational measures designed to protect the cloud-based services we make available at https://builder.io (the "Builder.io Service"). This page provides a description of our current security measures. 

For more details and relevant documentation, please see our Trust Report, available at trust.builder.io.

Risk Management

Builder.io conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. 

SOC2 Compliance

Builder is SOC2 Type 2 compliant. Contact us for more details or visit our Trust Report to request access to the report.

Access Controls

1. Authentication

Overview. Builder.io requires authentication for access to all application pages on the Builder.io Service, except for those intended to be public.

Secure Communication of Credentials. Builder.io uses TLS-encrypted POST requests to transmit authentication credentials to the Builder.io Service.

Password Management. We have processes designed to enforce minimum password requirements for the Builder.io Service. We currently enforce the following requirements and security standards for end user passwords on the Builder.io Service:

• Passwords must be a minimum of 8 characters in length and contain at least one digit or special character
• Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
• Email-based password reset links are sent only to a user's pre-registered email address with a temporary link

Password Hashing. End user account passwords stored on the Builder.io Service are hashed with a random salt using industry-standard techniques. 

2. Session Management

Overview. Each time a user signs into the Builder.io Service, the system assigns them a new, unique session identifier.

Sign Out. When signing out of the Builder.io Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Builder.io servers.

Network and Transmission Controls

Builder.io monitors and updates its communication technologies periodically with the goal of providing network security.

1. SSL/TLS

By default all communications from your end users and your visitors with the Builder.io Service are encrypted using industry-standard communication encryption technology. Builder.io currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.

2. Network Security

Builder.io regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Data Confidentiality and Job Controls

1. Internal Access to Data

Access to your visitor and account data stored on the Builder.io Service is restricted within Builder.io to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).

Builder.io currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Builder.io Service.

2. Job Controls

Builder.io has implemented several employee job controls to help protect the information stored on the Builder.io Service:

• All Builder.io employees are required to sign confidentiality agreements prior to accessing our production systems.
• Builder.io employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data
• New Builder.io employees are subject to background check prior to employment, where permitted by law

Security in Engineering

1. Product Security Overview

The Builder.io software development lifecycle (SDLC) for the Builder.io Service includes many activities intended to foster security:

• Defining security requirements
• Design (threat modeling and analysis, security design review)
• Development controls (static analysis, manual peer code review)
• Deployment controls (such as change management and canary release process).

Builder.io designs, reviews and tests the software for the Builder.io Service using applicable OWASP

2. Code Assessments

The software we develop for the Builder.io Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:

• Peer review of all code prior to being pushed to production
• Manual source code analysis on security-sensitive areas of code

Availability Controls

1. Disaster Recovery

The infrastructure for the Builder.io Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

• State of the art cloud providers: We use Google Cloud Platform and Amazon Web Services, which are trusted by thousands of businesses to store and serve their data and services.
• Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
• Backups: We perform daily, weekly, and monthly backups of data stored on the Builder.io Service, which are tested regularly.
• Availability: Builder.io content is served from multiple countries to ensure that the loss of a major network zone (i.e. country) does not adversely impact the availability of the pages. All network communication will automatically route to the nearest usable server. Our servers are expected to be short-lived and fail at any time, allowing us to create measures to restore the entire system based on the last known good configuration used. The software installed on our systems can be deployed or rolled back quickly without noticeable downtime. Software artifacts are versioned and resist accidental or malicious tampering or deletion.

2. Incident Response

Builder.io has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.

Segregation Controls

1. Data Segregation

Builder.io's systems for the Builder.io Service are designed to logically separate your data from that of other customers. Builder.io's application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.

2. User Roles

The Builder.io Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Builder.io Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project.

Physical Security

Builder.io uses industry-leading cloud platforms (currently Google Cloud Platform and Amazon Web Services) to host its production systems for the Builder.io Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. We rely on their third party attestations of their physical security. Within our headquarters, we employ a number of industry-standard physical security controls.

Privacy

To minimize privacy and security risks and to help our customers avoid unnecessary compliance costs, we design our products to collect only a limited amount of data. To learn more, please see FAQs about Privacy at Builder.

Additional Terms

Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check this page often to view our latest measures. As always, the use of the Builder.io Service is subject to the terms, conditions and disclaimers in our Terms of Service