Your code lives on your GitHub
Every project Buildra generates is committed to a GitHub repository under your account. Private repos stay private. We don't operate a proprietary code store — if you cancel tomorrow, your code is still on your GitHub.
How we handle your code, your prompts, and your deployments — written in plain English so you can make an informed decision before you ship real applications on Buildra.
Every project Buildra generates is committed to a GitHub repository under your account. Private repos stay private. We don't operate a proprietary code store — if you cancel tomorrow, your code is still on your GitHub.
All traffic to buildra.dev and to generated deployments uses TLS 1.2 or later. HSTS is enabled with a two-year max-age and includeSubDomains. The domain is on the HSTS preload list.
Application data is stored in managed Postgres (Supabase) with AES-256 encryption at rest. Secrets are stored in Vercel's encrypted environment variable store, scoped per-project and never logged.
Your prompts and generated code are processed by the AI providers we route to (Anthropic, OpenAI). We don't sell prompts or generated code, and we don't use your code to train third-party models. See our privacy policy for the full data-handling detail.
Every Buildra-served page ships a restrictive CSP: default-src 'self', explicit allowlists for analytics and font origins, frame-ancestors 'none', and base-uri 'self'. XSS surface is intentionally small.
Buildra runs on Next.js, TypeScript, Supabase, Vercel, and a curated set of open-source libraries. Dependencies are continuously scanned for known CVEs and patched on a regular cadence.
Account authentication is handled by Supabase Auth. Passwords are never stored in plaintext — only bcrypt-hashed digests. GitHub and Google OAuth are supported as SSO options.
Production access is limited to a small set of core engineers, requires 2FA, and is audit-logged. Customer data is accessed only to investigate a support issue you've opened or to respond to a legal requirement.
If you believe you’ve found a security vulnerability in Buildra or a Buildra-generated application, please email security@buildra.dev with reproduction steps. Please give us a reasonable window to investigate and remediate before public disclosure. We appreciate the work of the security research community and we’ll credit researchers who report in good faith.
Buildra is not currently SOC 2 certified. For enterprise customers that require a formal compliance posture, email support@buildra.dev — we can discuss the current control set, pending audits, and a contract that covers your specific requirements.
We answer them seriously. Every message to security@buildra.dev gets a human reply.