Your code lives on your GitHub
Every project Buildra generates is committed to a GitHub repository under your account. Private repos stay private. We don't operate a proprietary code store — if you cancel tomorrow, your code is still on your GitHub.
How we handle your code, your prompts, and your deployments — written in plain English so you can make an informed decision before you ship real applications on Buildra.
Every project Buildra generates is committed to a GitHub repository under your account. Private repos stay private. We don't operate a proprietary code store — if you cancel tomorrow, your code is still on your GitHub.
All traffic to buildra.dev and to generated deployments uses TLS 1.2 or later. HSTS is enabled with a two-year max-age and includeSubDomains. The domain is on the HSTS preload list.
Application data is stored in managed Postgres (Supabase) with AES-256 encryption at rest. Secrets are stored in Vercel's encrypted environment variable store, scoped per-project and never logged.
Your prompts and generated code are processed by the AI providers we route to (Anthropic, OpenAI). We don't sell prompts or generated code, and we don't use your code to train third-party models. See our privacy policy for the full data-handling detail.
Every Buildra-served page ships a restrictive CSP: default-src 'self', explicit allowlists for analytics and font origins, frame-ancestors 'none', and base-uri 'self'. XSS surface is intentionally small.
Buildra runs on Next.js, TypeScript, Supabase, Vercel, and a curated set of open-source libraries. Dependencies are continuously scanned for known CVEs and patched on a regular cadence.
Account authentication is handled by Supabase Auth. Passwords are never stored in plaintext — only bcrypt-hashed digests. GitHub and Google OAuth are supported as SSO options.
Production access is limited to a small set of core engineers, requires 2FA, and is audit-logged. Customer data is accessed only to investigate a support issue you've opened or to respond to a legal requirement.
Customer data is stored in US regions on Supabase (Postgres) and Vercel (edge runtime) by default. EU-resident customers who require in-region storage should contact [email protected] — we can provision an EU-region project for plans that warrant it.
Account data persists for the lifetime of the account. Generated code stays in your GitHub indefinitely (we don't reach back into your repos). Prompts and chat history are retained for 90 days for debugging and abuse prevention, then automatically purged. Account deletion (via Settings or by emailing [email protected]) removes account-scoped data within 30 days.
We aim to acknowledge confirmed security incidents within 24 hours of internal detection or external report and to publish a status update within 72 hours. Customers materially affected by an incident receive direct email notification with the scope, mitigation status, and any required action.
Buildra uses a small set of third-party services to operate. Each one handles a specific slice of customer data; we don’t share data beyond what each processor needs to do its job. The full list is below so you can evaluate compatibility before you ship on Buildra.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Managed Postgres, auth, file storage | US (default) |
| Vercel | Web hosting, edge runtime, deploys | Global edge / US origin |
| Cloudflare | CDN, DDoS protection, DNS | Global |
| Stripe | Payments and subscription billing | US / EU |
| AWS SES | Transactional email (account, billing, alerts) | US |
| Anthropic | AI model inference (Claude family) | US |
| OpenAI | AI model inference (GPT family) | US |
| GitHub | Source code hosting (your account, your repos) | US |
| Inngest | Durable workflow execution | US |
| PostHog | Product analytics | US (us.i.posthog.com) |
| Sentry | Error monitoring | US |
We notify customers of any new sub-processor that handles customer data. Email [email protected] to subscribe to sub-processor change notifications.
If you believe you’ve found a security vulnerability in Buildra or a Buildra-generated application, please email [email protected] with reproduction steps. Please give us a reasonable window to investigate and remediate before public disclosure. We appreciate the work of the security research community and we’ll credit researchers who report in good faith.
Buildra is not currently SOC 2 certified. For enterprise customers that require a formal compliance posture, email [email protected] — we can discuss the current control set, pending audits, and a contract that covers your specific requirements.
We answer them seriously. Every message to [email protected] gets a human reply.