Security at Buildorado
Your data is protected at every layer — from encrypted credential storage to network-level defenses. Security is built into every part of the platform, not bolted on.
Encrypted Credential Vault
API keys, OAuth tokens, and connection credentials are stored in a dedicated vault using envelope encryption with managed keys. Credentials are never logged, never returned in API responses, and are only decrypted at the exact moment they're needed for an action. Expired or invalid credentials are automatically quarantined.
Encryption Everywhere
All data is encrypted at rest and in transit. Connections use modern TLS. Sensitive fields use additional application-level encryption with auto-rotating managed keys.
OAuth & Token Security
OAuth flows use PKCE with one-time state tokens and replay prevention. Refresh tokens are encrypted at rest. Expired or invalid credentials are quarantined instantly and flagged for re-authorization.
Network & Runtime Protection
Web application firewall, DDoS mitigation, and request-level validation protect all endpoints. User-submitted code runs in isolated sandboxes with strict CPU, memory, and time limits. Outbound requests from workflows are validated to prevent SSRF and internal network access.
Access Control & Identity
SSO/SAML single sign-on, SCIM directory provisioning, and role-based access control. Comprehensive audit logs with PII redaction track every action. Multi-factor authentication supported.
Input Sanitization & Hardening
All user input is sanitized against XSS, SQL injection, and header injection attacks. Webhook payloads are deduplicated with idempotency protection. Request deduplication prevents duplicate submissions.
Compliance
GDPR
Compliant
SOC 2 Type II
In Progress
HIPAA
On Roadmap
Penetration Testing
Scheduled
Report a vulnerability
If you discover a security issue, please report it responsibly to [email protected]. We take all reports seriously and will respond within 48 hours.