Security

Security is foundational, not an afterthought

Enterprise-grade security built into every layer of the Bitrize platform. Your data stays yours.

Secure server room

Certifications and compliance

🛡️

SOC 2 Type II

Certified

Annual audit by independent firm

🛡️

HIPAA

Compliant

BAA available for healthcare customers

🛡️

GDPR

Compliant

Full data subject rights support

🛡️

ISO 27001

In Progress

Expected Q3 2026

Encryption

Data encryption everywhere

All data is encrypted at rest and in transit using industry-standard algorithms. Customer-managed encryption keys are available on Enterprise plans.

At restAES-256 encryption for all stored data
In transitTLS 1.3 for all network communication
Key managementAWS KMS with option for customer-managed keys
BackupsEncrypted and stored in geographically separate regions

Infrastructure

Secure by design

Data center infrastructure

Network isolation

VPC-based architecture with private subnets. No public-facing database endpoints.

DDoS protection

Multi-layer DDoS mitigation at network and application levels.

WAF

Web Application Firewall with custom rules for API and dashboard protection.

Multi-region

Data residency options in US, EU, and APAC regions.

Disaster recovery

RPO < 1 hour, RTO < 4 hours with automated failover.

Hardened containers

Minimal base images, no root access, read-only file systems.

Access Control

Fine-grained permissions

Role-based access control with granular permissions at the workspace, database, and agent level. SSO with SAML 2.0 and SCIM provisioning for enterprise customers.

RBAC

Role-based access control

SSO / SAML

Enterprise single sign-on

SCIM

Automated user provisioning

MFA

Multi-factor authentication

API Keys

Scoped, rotatable API keys

Audit Logs

Complete activity logging

AI Security

Responsible AI practices

AI agents require special security considerations. Here is how we handle them.

AI visualization

Data isolation

Each customer's AI model context is fully isolated. No cross-tenant data leakage.

No training on your data

Your data is never used to train our models. Query patterns are processed in isolation.

Agent permissions

AI agents operate with the minimum permissions required. No write access without explicit configuration.

Human-in-the-loop

Critical operations require human approval. Configurable approval workflows for destructive actions.

Vulnerability management

We take a proactive approach to security testing with multiple layers of assessment.

  • Quarterly third-party penetration testing
  • Continuous automated vulnerability scanning
  • Bug bounty program with HackerOne
  • Dependency scanning for all open-source components
  • Static application security testing (SAST) in CI/CD

Incident response

Our security team operates 24/7 with defined response procedures.

Critical (P0)15 minutesImmediate
High (P1)1 hourWithin 1 hour
Medium (P2)4 hoursWithin 24 hours
Low (P3)24 hoursWeekly digest

Internal security practices

Background checks

All employees undergo background verification

Security training

Mandatory quarterly security awareness training

Least privilege

Employees have minimum necessary access

Device management

Encrypted devices with remote wipe capability

Data residency options

Choose where your data is stored and processed. Available on Team and Enterprise plans.

US

us-east-1, us-west-2

EU

eu-west-1, eu-central-1

APAC

ap-southeast-1

Trust center

Request access to our SOC 2 report, penetration test summary, and security questionnaire responses.

Request Documents

Have security questions?

Our security team is available to discuss your requirements and answer any questions.

Contact Security TeamPrivacy Policy