Security First

Security & Data Protection

Identity infrastructure is the most critical system in an enterprise. This page documents how Butterfly Security protects connected tenants, credentials, and backup data.

Security First

We recommend testing with sandbox/preview environments before connecting production. Only connect your organization's own identity provider instances.

Security commitment

Identity data contains sensitive information about users, groups, and policies. Across Okta, Okta Workflows, and Auth0, Butterfly applies the same handling controls expected of a production identity system. Security takes precedence over convenience in every design decision.

Data In Transit

TLS 1.3 Encryption

All connections use TLS 1.3 with strong cipher suites
HTTPS enforced on all endpoints - no HTTP fallback
HSTS headers prevent downgrade attacks

Data Flow Architecture

Your Browser --[TLS 1.3]--> Cloudflare Edge (Global CDN)

Cloudflare Workers --[TLS 1.3]--> Your Connected System (Okta/Auth0/Okta Workflows)

Cloudflare Workers --[TLS 1.3]--> Cloudflare R2 (Storage)

Cloudflare Workers --[TLS 1.3]--> Supabase (Database)

Data is encrypted at every hop. We never transmit credentials or backup data over unencrypted connections.

Data At Rest

Credentials Storage

AES-256 encryption for OAuth private keys
Encryption key stored separately from data
Tokens only decrypted at backup runtime
No plaintext credentials — everything encrypted before storage

Backup Storage

Cloudflare R2 with AES-256 encryption at rest
Tenant-isolated storage — each customer's data is segregated by unique identifiers
Structured backup format per resource type for efficient restore
No cross-account access possible (enforced by path structure)
Downloads require authenticated session

Database Security (Supabase PostgreSQL)

PostgreSQL with Row Level Security (RLS) - users can only access their own data
Encrypted at rest with AES-256
Automatic daily backups with point-in-time recovery
Hosted on AWS infrastructure with SOC 2 compliance

Provider Authentication

Butterfly Security connects to Okta as an OIN (Okta Integration Network) API Service Integration — the same trust model Okta uses for its own marketplace integrations. This means your admin installs a pre-vetted app from the Okta catalog, not a custom API token.

OIN submission in progress

Okta Integration

OIN API Service Integration app — installed from Okta's catalog
OAuth 2.0 with Private Key JWT (RSA-256) — no shared secrets
Scoped permissions — read access for backup, write access used only when your admin enables restore. Every scope is granted explicitly in the Okta Admin Console.
Key rotation via kid — update keys without reconfiguring
Short-lived access tokens with automatic refresh

Auth0

Auth0 Integration

Auth0 Management API with Client Credentials grant
Dedicated M2M application per tenant
Credentials encrypted AES-256 at rest

Why OIN matters:OIN apps are submitted to Okta's review process and, once approved, install directly from the Okta catalog — no API tokens to manage, no secrets to rotate manually. Butterfly's OIN submission is currently in progress; this section will update when the listing is approved.

Credential Handling

Credential Type	How It's Handled
OAuth Private Key	Encrypted with AES-256 at rest. Used to sign JWTs for token requests. Key ID (kid) stored separately for rotation support.
Workflows Credentials	Okta Workflows admin username and password (if provided) are encrypted with AES-256 and stored with your connection. Decrypted only during Workflows backup operations.
Your Login Session	OAuth 2.0 via Supabase Auth. We never see or store your password. Session tokens are HTTP-only cookies with secure flags.

What We Store

We Store

Your email address (for account login)
Provider URLs (e.g., yourorg.okta.com, tenant.onmicrosoft.com)
Encrypted OAuth keys, tokens, and client secrets
Encrypted Workflows credentials (if applicable)
Backup files (users, groups, apps, policies, vaults, workflows)
Backup metadata (timestamps, sizes, resource counts)
Activity logs for audit trail
Subscription and plan information

Never stored

Your admin passwords
User passwords from your identity providers
MFA secrets or recovery codes
OAuth client secrets from apps
Payment card details — handled entirely by Stripe; we never see, process, or store card data
Data from other customers' backups
Plaintext credentials - everything is encrypted

Export Security

Terraform Export

Generated HCL files never contain passwords or API secrets
Sensitive values are marked with Terraform variable placeholders
Downloads require authenticated session

Git Export

Git tokens are encrypted with AES-256 and stored securely for recurring exports
Backup JSON is committed without credentials or secrets
We recommend using private repositories for backup exports
GitHub/GitLab tokens require only repo write permissions

What's In Your Backups

Backups contain configuration data from your identity providers - not authentication secrets:

Identity Providers

Okta and Auth0

• User profiles and group memberships
• Applications and assignments
• Authentication & authorization policies
• Branding, schemas & configurations

Okta Workflows

• Flow definitions & folders
• Tables and data
• Connector Builder projects

Note: Backups do not include user passwords, MFA configurations, or OAuth client secrets. These sensitive credentials cannot be exported from provider APIs for security reasons.

Infrastructure & Providers

Cloudflare Workers

Application Hosting

Edge-native serverless deployment with global distribution across 300+ data centers. Built-in DDoS protection, WAF, and bot management. Compliance docs are published in the Cloudflare Trust Hub (SOC 2 Type 2, ISO 27001, PCI DSS, GDPR, HIPAA eligible).

Supabase

Database & Auth

SOC 2 Type 2 certified. PostgreSQL with Row Level Security. Hosted on AWS with automatic backups.

Cloudflare R2

Backup Storage

SOC 2 Type 2 certified. S3-compatible object storage with encryption at rest and global edge network.

Scheduled Jobs

Automatic backup scheduling runs via secure cron endpoints with HMAC-verified requests. Jobs execute with configurable intervals from hourly to weekly, with support for custom cron expressions.

Subprocessor Details

For compliance, security, and DPA documentation from our infrastructure subprocessors, see the Cloudflare Trust Hub and Supabase Privacy Policy.

Access Controls

Row Level Security (RLS): Database enforces that users can only query their own data - not just application logic.
Tenant-Isolated Storage: Each customer's backups are segregated by unique identifiers — no cross-account access is possible.
Signed URLs: Download links expire after 1 hour and only work with an active authenticated session.
Org Trial Registry: Prevents multi-account abuse by tracking trial usage per identity provider instance, not just per user account.
No Admin Backdoor: Even we cannot access your backup data without your explicit permission.
Biometric (Face ID / Touch ID) confirmation on every mobile mutation (coming soon): The Butterfly for Okta iOS companion app is in development. When it ships, it will gate restore, rollback, and admin actions behind device biometrics — every time, with no remembered consent. Restore execution stays desktop-only by design.

Rate Limiting & Protection

Rate Limit Aware: We monitor each provider's rate limit headers and automatically throttle requests to prevent hitting limits.
Exponential Backoff: Automatic retry with increasing delays when rate limits are encountered.
Request Timeouts: All API calls have configurable timeouts (30-300 seconds) to prevent hanging operations.
Plan-Based Limits: Trial accounts have backup frequency limits to prevent abuse while ensuring fair usage.
IP-based API rate limits: Edge middleware throttles auth endpoints (20 req/min on send-code/verify-code), restore endpoints (10 req/min), and all other API routes (120 req/min). Provider-internal webhooks (SCIM, SSF, Stripe) bypass the limiter and rely on their own signature verification.

Data Deletion & Portability

Delete Your Data

You can delete all your data at any time from Settings → Delete Account. This permanently removes:

• Your account and profile
• All provider connections and encrypted credentials
• All backup files from cloud storage
• All activity logs and metadata

Deletion is immediate and irreversible. We retain no copies.

Export Your Data

You can download any backup as JSON at any time. Your data is yours - we use standard formats so you're never locked in. Backups include full resource data with metadata and can be used independently of our service.

Standards & Protocols

OAuth 2.0 Authorization Server (MCP-spec aligned)

Butterfly operates its own RFC 8414 authorization server (advertised at /.well-known/oauth-authorization-server) so MCP clients and future directory integrations can obtain scoped, audience-bound access tokens.

Client ID Metadata Documents (CIMD) — implements the MCP specification revision dated 2025-11-25. Preferred over Dynamic Client Registration for directory-grade clients.
Audience-bound tokens (RFC 8707) — clients must pass a resource parameter at authorization; the issued token is bound to that audience and cannot be replayed against other APIs.
PKCE (S256) required on the authorization code flow; authorization_response_iss_parameter_supported enabled to defend against issuer-mixup attacks.
Discovery metadata published alongside /.well-known/oauth-protected-resource (RFC 9728) and /.well-known/jwks.

Cron Observability & Audit Trail

Every scheduled job (backups, drift monitoring, IDP drills) writes structured lifecycle events to the same activity_logs table that powers in-app audit views.

cron_*_start / _complete / _error rows per run — auditors can prove a job ran (or failed to run) on every interval.
All iOS admin proxy routes (suspend, clear sessions, reset MFA, network-zone toggle) write capability-gated audit rows with actor, target, scope, and outcome.
Cron endpoints are gated by a shared CRON_SECRET managed in the Cloudflare dashboard; no public invocation is possible.

Audit Pack (Evidence-Grade PDF)

One-click export designed for auditors and incident retrospectives.

SHA-256 manifest — every section of the PDF is hashed, with a top-level manifest hash printed on the cover and final page. Tampering with any section invalidates the manifest.
Manifest hash is also returned as an HTTP response header (X-Audit-Pack-Manifest) for out-of-band verification.
Contains backup history, restore drills, drift events, and identity-resilience scoring scoped to the requesting team.

Compliance Frameworks Supported

Butterfly's compliance remediation engine ships policy templates and evidence generation aligned to 6 frameworks. These are control-alignment tools — Butterfly has not completed a third-party SOC 2 Type 2 or ISO 27001 audit. Subprocessor certifications are documented above.

SOC 2

Templates + remediation

HIPAA

Templates + remediation

PCI DSS

Templates + remediation

NIST

Templates + remediation

ISO 27001

Templates + remediation

CIS Controls v8

Templates + remediation

CIS Controls v8 coverage focuses on Controls 1 (asset inventory), 2 (software inventory), 4 (admin privileges), and 5 (account monitoring) — implemented in the automated compliance-check engine with per-finding remediation guidance.

Security Practices

•Dependencies are automatically scanned and updated for security vulnerabilities
•Code changes require review before deployment
•Secrets are managed through environment variables, never committed to code
•All admin access to infrastructure requires MFA
•Regular security reviews of authentication and authorization logic
•Activity logging for audit trail and anomaly detection
•Health checks and automatic restart on failure (max 3 retries)
•Responsible disclosure: Security researchers can report vulnerabilities to security@butterflysecurity.org. We aim to acknowledge reports within 48 hours.

Security Questions?

If you have security questions, need documentation for your compliance team, or want to report a vulnerability:

security@butterflysecurity.org