Security

Encryption

Env vars and OAuth tokens are encrypted at rest with AES-256-GCM. JWT-signed session cookies, secure + httpOnly. Automatic Let's Encrypt TLS for every domain.

Isolation

Every deployment runs in its own Kubernetes pod with resource limits. Builds run in ephemeral containers, never reusing tenant state.

Access

Role-based members (admin / developer / viewer). Audit log for every workspace mutation. Postgres role-restricted to the API service account.

Disclosure

Found something? Email security@buildfyio.com. PGP key on request. We acknowledge within 24 hours.