Trust
Subprocessors.
The third-party services Butterfly Security uses to deliver our product, what data they handle, and where they handle it. We keep this list short on purpose.
Last reviewed: 2026-06-03. Material changes are announced 30 days in advance to customers on Standard and Business plans, in line with our terms of service and Data Processing Addendum.
Cloudflare, Inc.
Purpose
Application hosting (Workers), edge caching, DDoS protection, KV storage, and object storage (R2) for customer backup data.
Data processed
Customer Okta tenant snapshots, application logs, request metadata.
Processing region
Global edge, US-anchored.
Supabase, Inc.
Purpose
Primary application database (Postgres) and authentication backbone for customer accounts.
Data processed
Account metadata, plan + billing identifiers, encrypted Okta connection records.
Processing region
United States.
Stripe, Inc.
Purpose
Subscription billing, invoicing, payment processing, customer portal.
Data processed
Customer name, billing email, payment method tokens, subscription state. Card numbers are tokenized by Stripe and never touch Butterfly servers.
Processing region
United States.
Anthropic PBC
Purpose
Large-language-model inference for the in-product AI assistant and remediation guidance surfaces.
Data processed
User-typed assistant prompts and the structured product context required to answer them. No customer Okta tenant data is sent to Anthropic.
Processing region
United States.
OpenAI, L.L.C.
Purpose
Fallback LLM inference for AI-assisted surfaces when the primary provider is unavailable.
Data processed
Same prompt scope as Anthropic. No customer Okta tenant data is sent to OpenAI.
Processing region
United States.
ElevenLabs, Inc.
Purpose
Voice synthesis for the product demo walkthrough on marketing surfaces.
Data processed
Marketing video voiceover scripts only. No customer data.
Processing region
United States.
GitHub, Inc. (a Microsoft company)
Purpose
Source control, code review, and CI/CD for the Butterfly Security platform.
Data processed
Source code and build artifacts. No customer Okta tenant data.
Processing region
United States.
Google LLC (Workspace)
Purpose
Corporate email, calendaring, and shared document storage for the Butterfly team.
Data processed
Internal correspondence and operational documents. Customer correspondence is segregated to designated mailboxes.
Processing region
United States.
Posture
What we do not send anywhere.
- Customer Okta tenant configurations and snapshots are never sent to any LLM provider. They live in your Cloudflare R2 backup bucket scoped to your account.
- We do not use third-party advertising or session-replay tools on customer dashboards.
- Backups are encrypted at rest. Restore previews and audit packs are generated in-region. No data leaves the processing regions listed above.
Vendor review
Need our full vendor security questionnaire, DPA, or SOC 2 letter?
Available under NDA via the Trust Center or by direct request.