Register Now: Use Visual Dev + AI to Ship 10x Faster on July 24

Announcing Visual Copilot - Figma to production in half the time logo
Contact Sales
Contact Sales










Visual CMS

Drag-and-drop visual editor and headless CMS for any tech stack

Theme Studio for Shopify

Build and optimize your Shopify-hosted storefront, no coding required



Get StartedLogin

Security at has instituted several technical and organizational measures designed to protect the cloud-based services we make available at (the " Service"). This page provides a description of our current security measures. 

For more details and relevant documentation, please see our Trust Report, available at

Risk Management conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. 

SOC2 Compliance

Builder is SOC2 Type 2 compliant. Contact us for more details or visit our Trust Report to request access to the report.

Access Controls

1. Authentication

Overview. requires authentication for access to all application pages on the Service, except for those intended to be public.

Secure Communication of Credentials. uses TLS-encrypted POST requests to transmit authentication credentials to the Service.

Password Management. We have processes designed to enforce minimum password requirements for the Service. We currently enforce the following requirements and security standards for end user passwords on the Service:

  • Passwords must be a minimum of 8 characters in length and contain at least one digit or special character
  • Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
  • Email-based password reset links are sent only to a user's pre-registered email address with a temporary link

Password Hashing. End user account passwords stored on the Service are hashed with a random salt using industry-standard techniques. 

2. Session Management

Overview. Each time a user signs into the Service, the system assigns them a new, unique session identifier.

Sign Out. When signing out of the Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on servers.

Network and Transmission Controls monitors and updates its communication technologies periodically with the goal of providing network security.


By default all communications from your end users and your visitors with the Service are encrypted using industry-standard communication encryption technology. currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.

2. Network Security regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Data Confidentiality and Job Controls

1. Internal Access to Data

Access to your visitor and account data stored on the Service is restricted within to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers). currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Service.

2. Job Controls has implemented several employee job controls to help protect the information stored on the Service:

  • All employees are required to sign confidentiality agreements prior to accessing our production systems.
  • employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data
  • New employees are subject to background check prior to employment, where permitted by law

Security in Engineering

1. Product Security Overview

The software development lifecycle (SDLC) for the Service includes many activities intended to foster security:

  • Defining security requirements
  • Design (threat modeling and analysis, security design review)
  • Development controls (static analysis, manual peer code review)
  • Deployment controls (such as change management and canary release process). designs, reviews and tests the software for the Service using applicable OWASP

2. Code Assessments

The software we develop for the Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:

  • Peer review of all code prior to being pushed to production
  • Manual source code analysis on security-sensitive areas of code

Availability Controls

1. Disaster Recovery

The infrastructure for the Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

  • State of the art cloud providers: We use Google Cloud Platform and Amazon Web Services, which are trusted by thousands of businesses to store and serve their data and services.
  • Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
  • Backups: We perform daily, weekly, and monthly backups of data stored on the Service, which are tested regularly.
  • Availability: content is served from multiple countries to ensure that the loss of a major network zone (i.e. country) does not adversely impact the availability of the pages. All network communication will automatically route to the nearest usable server. Our servers are expected to be short-lived and fail at any time, allowing us to create measures to restore the entire system based on the last known good configuration used. The software installed on our systems can be deployed or rolled back quickly without noticeable downtime. Software artifacts are versioned and resist accidental or malicious tampering or deletion.

2. Incident Response has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.

Segregation Controls

1. Data Segregation's systems for the Service are designed to logically separate your data from that of other customers.'s application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.

2. User Roles

The Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project.

Physical Security uses industry-leading cloud platforms (currently Google Cloud Platform and Amazon Web Services) to host its production systems for the Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. We rely on their third party attestations of their physical security. Within our headquarters, we employ a number of industry-standard physical security controls.


To minimize privacy and security risks and to help our customers avoid unnecessary compliance costs, we design our products to collect only a limited amount of data. To learn more, please see FAQs about Privacy at Builder.

Additional Terms

Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check this page often to view our latest measures. As always, the use of the Service is subject to the terms, conditions and disclaimers in our Terms of Service


Get the latest from

By submitting, you agree to our Privacy Policy


Visual Copilot

Visual Headless CMS


What's New

Open Source









Popular Guides

From Design to Code Ebook

SaaS Marketing Site Ebook

Composable Commerce Ebook

Headless CMS Guide

Headless Commerce Guide

Design to Code



Knowledge Base

Community Forum


Performance Insights


Success Stories


Resource Center
















Remix logo





Hydrogen logo

Visually build and optimize digital experiences on any tech stack. No coding required, and developer approved.

Get StartedLog In
© 2024, Inc.


Privacy Policy

SaaS Terms

Security & Compliance

Cookie Preferences