Traction snapshot · public
What's true today.
Updated 2026-06-15. Every datapoint on this page links to evidence you can verify yourself. production endpoints, public registries, our own changelog.
Customers paying today: 0.Pre-revenue. Pipeline below.
Shipping velocity
Source repository is private. The public changelog is the verifiable ship log.
Product live
Every surface below returns 200 in production. The deploy commit SHA is in /health.
| Surface | URL | Notes |
|---|---|---|
| Production health endpoint | /health | No-auth JSON, includes deploy commit SHA |
| Dashboard - Backups | /dashboard/backups | Auth required; backup runs, history, restore previews |
| Dashboard - Restore | /dashboard/restore | Preview-first restore with dry-run + diff |
| Dashboard - Restore Readiness Score | /dashboard/readiness | 0-100 per connection + overall |
| Dashboard - Compliance + Audit Pack PDF | /dashboard/compliance | Signed PDF, 7 sections, SHA-256 manifest |
| Trust Center | /trust | Compliance posture, security posture, subprocessor list, DPA |
| Security page | /security | Threat model, OIN API Service Integration scope, key handling |
| Enterprise page | /enterprise | SSO/SCIM, audit log, role separation |
| Compare hub (8 head-to-head pages) | /compare | Acsense, HYCU, Rubrik, MightyID, Druva, Keepit, Backupify, Cohesity |
| Docs | /docs | OIN install guide, MCP server docs, API reference |
| Pricing | /upgrade | Stripe Checkout live in production |
| Changelog | /changelog | Public ship log; source repo is private |
| Status page | /status | Public status |
| OIN listing - butterfly-security-api-service (backup) | https://www.okta.com/integrations/butterfly-security-api-service/ | Published in Okta Integration Network |
| OIN listing - butterfly-security (SSO/SCIM) | https://www.okta.com/integrations/butterfly-security/ | Published in Okta Integration Network |
| Chrome extension (free operator tooling) | https://chromewebstore.google.com/detail/butterfly-for-okta/ | Snapshot, X-Ray, API explorer, health scoring |
| iOS app - Butterfly for Okta | App Store: coming soon | Native SwiftUI app submitted to App Store review. Not generally available yet. Public copy says 'coming soon' until it ships. |
Compliance posture
Identical to the Trust Center. SOC 2 Type II audit is kicking off with Drata this month. No third-party attestation has been issued yet. Source: /trust.
| Framework | Status | Target | Summary |
|---|---|---|---|
| SOC 2 Type 1 | In progress | Q3 2026 | Standing up SOC 2 Type II program with Drata (selected 2026-06-13). Observation window begins this quarter. Scope: Security, Availability, Confidentiality. |
| SOC 2 Type 2 | Planned | Q1 2027 | Three-month observation window planned for Q4 2026 following Type 1 attestation. |
| ISO/IEC 27001:2022 | Aligned (not certified) | – | Controls mapped to Annex A. No certificate today – certification pursued after SOC 2 Type 2 closes. |
| GDPR | Compliant | – | DPA available. Standard Contractual Clauses cover EU-to-US transfers where applicable. Articles 17 and 20 (erasure, portability) implemented in product. |
| CCPA / CPRA | Compliant | – | California Consumer Privacy Act + CPRA aligned. Data-subject rights surfaced in /dashboard/settings/data-rights. |
| HIPAA | Planned | Post SOC 2 Type 2 | Butterfly does not currently sign HIPAA BAAs. Technical and administrative safeguards (45 CFR §164.308, §164.312) are implemented at the platform layer; BAA program planned after SOC 2 Type 2 attestation closes. |
| PCI DSS v4.0 | Out of scope | – | Butterfly never touches cardholder data. All billing is processed by Stripe (PCI DSS Level 1 service provider). |
| NIST 800-53 (Moderate baseline) | Aligned (not audited) | – | Self-mapped against the Moderate baseline. Not third-party audited. |
| CIS Controls v8 | Compliant | – | Controls 1, 2, 4, 5 implemented inside the product's compliance check engine. |
Active evaluation conversations
Anonymized until each party grants permission to be named. Reference contacts available on request after first call.
Cambridge UK biotech (Sr IT Mgr)
Replied within 3h of first cold contact. Active 3-touch sequence. Reference contact pending permission.
Compliance-platform peer (founder-led)
Positive inbound from SOC 2 vendor evaluation, <1h reply. Crossover security-tooling buyer.
Founder-network warm intro (banking + ops)
Soft outreach opened mid-June. 15-minute slot pending.
MSP partner channel conversation
Post-call follow-up window open.
Okta Partner team
Two OIN listings published. Active prep with Okta Partner manager.
Cold outbound activity
31 sends logged since 2026-06-01 across multiple waves · 16 reply / engagement markers. Logged in marketing/outreach/sent.log. Dedup-guarded. no repeat sends to the same cold recipient inside a wave.
Pricing in production
Stripe Checkout is live. Customer Portal active. See /upgrade.
| Tier | Price | What you get |
|---|---|---|
| Free | $0 | 1 Okta connection, 1 total backup, 7-day retention |
| Trial | $0 | 30 days, broad public-platform access |
| Standard | $1/user/mo · $99 min | 2 connections, 90-day retention |
| Business | $2/user/mo · $299 min | Unlimited connections, unlimited retention, Continuity bundled |
Engineering signals
Measurable from the repository and live infrastructure.
Regression test files
186
under tests/
API route handlers in production
305
src/app/api/**/route.ts
/health median latency
~95ms
5-sample curl from US-East, 2026-06-15
/health p95 latency
~1.0s (cold isolate)
Cloudflare Workers cold isolate
This page is the public mirror of an internal traction snapshot. If a datapoint here looks off, email mick@butterflysecurity.org. Source of truth for investor conversations is /raise.