Trust Center

Trust Center — Butterfly Security

How we secure, store, and prove our handling of your identity data.

What "aligned" means

Butterfly Security is aligned to the frameworks listed below — meaning our controls, code, and operational practices map to the required safeguards. We are not yet third-party audited against any of these frameworks (no SOC 2 Type 2 attestation, no ISO 27001 certificate). We will publish attestation reports the moment they exist. Until then, every claim on this page corresponds to a control implemented in code or documented in our runbook — ask security@butterflysecurity.org for the underlying evidence.

Compliance posture

Framework	Scope	Status
SOC 2 (Type 2)	Security, Availability, Confidentiality	Aligned
HIPAA	Technical & administrative safeguards (§164.308, §164.312)	Aligned
PCI DSS v4.0	Access control, logging, encryption (out-of-scope for cardholder data — Stripe handles all payments)	Aligned
NIST 800-53 (Moderate baseline)	Access, audit, configuration, identification & authentication, system & communications	Aligned
ISO/IEC 27001:2022	Annex A controls relevant to a cloud-hosted SaaS	Aligned
CIS Controls v8	Controls 1, 2, 4, 5 implemented in the in-product check engine	Aligned — checks implemented

Compliance check engine runs daily across all connected tenants. See features for the user-facing remediation workflow.

Subprocessors

Third parties that process customer data on our behalf. We notify customers in the changelog before adding a new subprocessor.

Cloudflare

Cloudflare Trust Hub→

Purpose: Application hosting (Workers), object storage (R2), DNS, edge security
Data processed: All customer-facing traffic; encrypted backup snapshots at rest in R2
Region: Global edge; R2 buckets pinned to operator-selected region

Supabase

Supabase Security & Compliance→

Purpose: Postgres database, authentication, realtime channels
Data processed: Account metadata, team membership, connection records, activity logs
Region: US-East (primary)

Stripe

Stripe Security→

Purpose: Billing for paying customers (Checkout, webhooks, Customer Portal)
Data processed: Billing contact, plan, subscription state. No payment card data ever touches Butterfly.
Region: Global (Stripe-managed)

Twilio SendGrid

Twilio Trust Center→

Purpose: Transactional email (verification codes, restore receipts, drift alerts) and product-update email
Data processed: Email address, message metadata, opt-in/opt-out status
Region: US (SendGrid-managed)

OpenAI

OpenAI Trust Portal→

Purpose: AI guidance, topology analysis, remediation suggestions — opt-in only
Data processed: Redacted Okta metadata required for the specific prompt. Customer data is not used for model training (per API terms).
Region: US

Anthropic

Anthropic Trust Center→

Purpose: AI guidance (alternative model) — opt-in only
Data processed: Redacted Okta metadata required for the specific prompt. Customer data is not used for model training (per API terms).
Region: US

Data handling

What we store

· Account & team membership records (Supabase Postgres)
· Connection metadata: org domain, granted OAuth scopes, encrypted access tokens
· Backup snapshots: users, groups, apps, policies, workflows from your identity tenant
· Activity logs for every mutation (who, what, when, request ID)

Encryption

· In transit: TLS 1.3 on every endpoint, HSTS enforced, HTTP fallback disabled
· At rest: AES-256 envelope encryption for credentials (per-tenant data encryption key, rotated independently of the master key)
· Snapshots in R2: server-side AES-256 plus per-tenant key derivation; download via short-lived signed URLs only

Tenant isolation

Every snapshot in R2 is keyed as users/<userId>/connections/<connectionId>/backups/<timestamp>/. Postgres rows enforce tenant boundaries via row-level security policies on every user-scoped table. Cross-tenant access is structurally impossible from the application layer.

Retention & deletion

· Free plan: 7-day snapshot retention
· Standard plan: 90-day snapshot retention
· Business plan: unlimited retention
· On account deletion: snapshots, tokens, and identifiable activity logs purged within 30 days

Audit trail

Every state change in Butterfly writes an immutable row to activity_logs: actor, target, action, timestamp, request ID, and source IP. Scheduled jobs (backups, drift monitoring, identity-provider drills) additionally emit start / complete / error events so silent failures cannot accumulate undetected.

Customers can export a tamper-evident evidence bundle — JSON exports of activity logs, backup manifests, and compliance check results, packaged with a SHA-256 manifest — from /api/export/audit-pack. The manifest lets auditors verify nothing was altered between export and review.

Incident response & security contact

Report vulnerabilities, security concerns, or active incidents to security@butterflysecurity.org. We acknowledge every report within 24 hours.

Acknowledgement SLA: Within 24 hours, 7 days a week
Triage SLA: Critical: 4 hours · High: 1 business day
Customer notification: Affected customers notified within 72 hours of confirmation, per GDPR Article 33 timing
Coordinated disclosure: Researchers credited in the changelog after fix is shipped

A PGP key for encrypted disclosure is not currently published. Researchers who need encrypted comms can request one in their first email and we will exchange keys out-of-band.

Recent attestations & changes

No third-party attestation reports have been issued yet. SOC 2 Type 2 and ISO 27001 audits are on the roadmap — reports will appear here as they are signed.

Material changes (new subprocessors, policy updates, framework alignment changes) will be listed here and announced in the product changelog.

Detailed security architecture →Privacy policy →Terms of service →security@butterflysecurity.org →