Does Okta have native backup?

No. Okta operates under a shared responsibility model and does not provide built-in backup or restore capabilities. You are responsible for your own disaster recovery.

What Okta resources can Butterfly Security backup?

Butterfly Security supports 70+ resource types including users, groups, applications, policies, authorization servers, Workflows (flows, tables, connectors), brands, and more.

Can I backup Okta Workflows?

Yes. Butterfly Security provides complete Workflows backup including flow definitions, folder structure, table data (CSV export), and custom connectors from Connector Builder.

How long does an Okta backup take?

Backup time depends on org size and provider rate limits. Small orgs (under 1,000 users): 2-5 minutes. Medium orgs (1K-10K users): 10-20 minutes. Large orgs (10K-50K users): 20-45 minutes. Enterprise (50K+ users): 45 minutes to 2+ hours. Nested resources and API rate limits add natural pacing.

Is Butterfly Security secure?

Yes. All backups are encrypted at rest with AES-256, stored in isolated per-account storage, with credentials encrypted separately. We use SOC 2 compliant infrastructure.

Can I export Okta configuration to Terraform?

Yes. Butterfly Security can generate Terraform HCL from your backups, enabling Infrastructure as Code workflows and version-controlled Okta configuration management.

What is a dry-run restore?

Dry-run restore generates a preview showing exactly what would be created, updated, or skipped before making any changes. This ensures safe, predictable restores with no surprises.

Can I restore to a different Okta org?

Yes. Backups use name-based matching so they are portable across orgs. This enables sandbox sync, environment replication, and disaster recovery to alternate orgs.

Security First

Security & Data Protection

We understand that your identity provider is the most critical system in your organization. Here's exactly how we protect your data.

Security First

We recommend testing with sandbox/preview environments before connecting production. Only connect your organization's own identity provider instances.

Our Security Promise

Your identity data contains sensitive information about your users, groups, and policies. Whether it's Okta, Entra ID, Auth0, Ping Identity, or 1Password — we treat it with the same level of care we'd expect for our own identity infrastructure. Every design decision prioritizes security over convenience.

Data In Transit

TLS 1.3 Encryption

All connections use TLS 1.3 with strong cipher suites
HTTPS enforced on all endpoints - no HTTP fallback
HSTS headers prevent downgrade attacks

Data Flow Architecture

Your Browser --[TLS 1.3]--> Cloudflare Edge (Global CDN)

Cloudflare Workers --[TLS 1.3]--> Your Provider (Okta/Entra/Auth0/Ping/1Password/Workato/Boomi/Zapier)

Cloudflare Workers --[TLS 1.3]--> Cloudflare R2 (Storage)

Cloudflare Workers --[TLS 1.3]--> Supabase (Database)

Data is encrypted at every hop. We never transmit credentials or backup data over unencrypted connections.

Data At Rest

Credentials Storage

AES-256 encryption for OAuth private keys
Encryption key stored separately from data
Tokens only decrypted at backup runtime
OAuth private keys encrypted with RSA-256 signing

Backup Storage

Cloudflare R2 with AES-256 encryption at rest
Isolated storage paths: users/{user_id}/connections/{conn_id}/backups/{timestamp}/
JSON files per resource type (users.json, groups.json, apps.json, etc.)
No cross-account access possible (enforced by path structure)
Downloads require authenticated session

Database Security (Supabase PostgreSQL)

PostgreSQL with Row Level Security (RLS) - users can only access their own data
Encrypted at rest with AES-256
Automatic daily backups with point-in-time recovery
Hosted on AWS infrastructure with SOC 2 compliance

Provider Authentication

We support secure authentication methods for each provider — OAuth 2.0 for Okta, Microsoft Graph API for Entra ID, Management API for Auth0, Bearer tokens for Ping Identity and 1Password, and API tokens for Workato, Boomi, and Zapier:

Recommended

OAuth 2.0 (M2M)

Private Key JWT authentication (RSA-256)
Scoped permissions (79 read-only scopes)
Key ID (kid) support for key rotation
Token caching with 4-minute TTL

Best Practice: We recommend using OAuth 2.0 with a dedicated service app. This provides scoped permissions and supports key rotation without updating credentials.

Credential Handling

Credential Type	How It's Handled
OAuth Private Key	Encrypted with AES-256 at rest. Used to sign JWTs for token requests. Key ID (kid) stored separately for rotation support.
Workflows Credentials	Okta Workflows admin username and password (if provided) are encrypted with AES-256 and stored with your connection. Decrypted only during Workflows backup operations.
Your Login Session	OAuth 2.0 via Supabase Auth. We never see or store your password. Session tokens are HTTP-only cookies with secure flags.

What We Store

We Store

Your email address (for account login)
Provider URLs (e.g., yourorg.okta.com, tenant.onmicrosoft.com)
Encrypted OAuth keys, tokens, and client secrets
Encrypted Workflows credentials (if applicable)
Backup files (users, groups, apps, policies, vaults, workflows)
Backup metadata (timestamps, sizes, resource counts)
Activity logs for audit trail
Subscription and plan information

We Never Store

Your admin passwords
User passwords from your identity providers
MFA secrets or recovery codes
OAuth client secrets from apps
Payment card details (handled by Stripe)
Data from other customers' backups
Plaintext credentials - everything is encrypted

Export Security

Terraform Export

Generated HCL files never contain passwords or API secrets
Sensitive values are marked with Terraform variable placeholders
Downloads require authenticated session

Git Export

Git tokens are used only for the export operation, never stored
Backup JSON is committed without credentials or secrets
We recommend using private repositories for backup exports
GitHub/GitLab tokens require only repo write permissions

What's In Your Backups

Backups contain configuration data from your identity providers - not authentication secrets:

Okta Admin Backup

• User profiles (name, email, status)
• Groups and group memberships
• Applications and assignments
• Authentication policies
• Authorization servers
• Network zones and trusted origins
• Identity providers
• Authenticators and behaviors

Workflows Backup

• Workflow folders (.folder exports)
• Flow definitions and configurations
• Tables and table data
• Connector Builder projects
• Connector configurations

Note: Backups do not include user passwords, MFA configurations, or OAuth client secrets. These sensitive credentials cannot be exported from provider APIs for security reasons.

Infrastructure & Providers

Cloudflare Workers

Application Hosting

Edge-native serverless deployment with global distribution across 300+ data centers. Built-in DDoS protection, WAF, and bot management. Compliance docs are published in the Cloudflare Trust Hub (SOC 2 Type 2, ISO 27001, PCI DSS, GDPR, HIPAA eligible).

Supabase

Database & Auth

SOC 2 Type 2 certified. PostgreSQL with Row Level Security. Hosted on AWS with automatic backups.

Cloudflare R2

Backup Storage

SOC 2 Type 2 certified. S3-compatible object storage with encryption at rest and global edge network.

Scheduled Jobs

Automatic backup scheduling runs via secure cron endpoints with HMAC-verified requests. Jobs execute with configurable intervals from hourly to weekly, with support for custom cron expressions.

Access Controls

Row Level Security (RLS): Database enforces that users can only query their own data - not just application logic.
Isolated Storage Paths: Your backups are stored at paths like /{user_id}/{connection_id}/{timestamp}/
Signed URLs: Download links expire after 1 hour and only work with an active authenticated session.
Org Trial Registry: Prevents multi-account abuse by tracking trial usage per identity provider instance, not just per user account.
No Admin Backdoor: Even we cannot access your backup data without your explicit permission.

Rate Limiting & Protection

Rate Limit Aware: We monitor each provider's rate limit headers and automatically throttle requests to prevent hitting limits.
Exponential Backoff: Automatic retry with increasing delays when rate limits are encountered.
Request Timeouts: All API calls have configurable timeouts (30-300 seconds) to prevent hanging operations.
Plan-Based Limits: Trial accounts have backup frequency limits to prevent abuse while ensuring fair usage.

Data Deletion & Portability

Delete Your Data

You can delete all your data at any time from Settings → Delete Account. This permanently removes:

• Your account and profile
• All provider connections and encrypted credentials
• All backup files from cloud storage
• All activity logs and metadata

Deletion is immediate and irreversible. We retain no copies.

Export Your Data

You can download any backup as JSON at any time. Your data is yours - we use standard formats so you're never locked in. Backups include full resource data with metadata and can be used independently of our service.

Our Security Practices

•Dependencies are automatically scanned and updated for security vulnerabilities
•Code changes require review before deployment
•Secrets are managed through environment variables, never committed to code
•All admin access to infrastructure requires MFA
•Regular security reviews of authentication and authorization logic
•Activity logging for audit trail and anomaly detection
•Health checks and automatic restart on failure (max 3 retries)

Security Questions?

If you have security questions, need documentation for your compliance team, or want to report a vulnerability:

security@butterflysecurity.org