Concrete, plain-English description of how we protect your data and your generated code. Last reviewed 2026-05-16.
Every request to buildliy.com is served over TLS 1.3. Database backups, project files, and uploaded assets are encrypted at rest with AES-256.
Sign-in is delegated to OAuth providers (Google, GitHub) plus Supabase Auth for email/password. We never see or store your password.
Hosted on Vercel and Supabase, both SOC 2 Type II certified. Sandboxed code execution runs inside ephemeral E2B containers that are destroyed after every build.
Internal access to customer data is logged, scoped to the smallest possible role, and audited quarterly. No engineer can read your prompts without an approved support ticket.
All API keys and tokens (Anthropic, OpenAI, Stripe, E2B, Supabase service role) live in our hosting provider's encrypted secret store. They are not committed to any repo and not visible to our frontend.
Per-account and per-IP rate limits protect against accidental loops and intentional abuse. Repeated failed builds back off automatically.
Postgres point-in-time recovery is enabled with 7-day retention. Daily full backups are kept for 30 days in a separate region.
Every third-party we send data to is reviewed for security posture, data-handling, and breach history before it goes into production.
We're not yet SOC 2 certified ourselves — that's on the 2027 roadmap. Our underlying infrastructure (Vercel, Supabase) is SOC 2 Type II. EU customer data is processed in the EU under standard contractual clauses. If you have specific compliance requirements, get in touch.
If you believe you've found a security issue, please email security@buildliy.com. We acknowledge reports within 24 hours and aim to triage within 72. We don't have a paid bug bounty yet, but we publicly credit responsible disclosers.