Drag-and-drop visual editor and headless CMS for any tech stack
Theme Studio for Shopify
Build and optimize your Shopify-hosted storefront, no coding required
Security at Builder.io
Builder.io has instituted several technical and organizational measures designed to protect the cloud-based services we make available at https://builder.io (the "Builder.io Service"). This page provides a description of our current security measures.
Builder.io conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared.
Builder is SOC2 Type 2 compliant. Contact us for more details or to request access to the report.
Overview. Builder.io requires authentication for access to all application pages on the Builder.io Service, except for those intended to be public.
Secure Communication of Credentials. Builder.io uses TLS-encrypted POST requests to transmit authentication credentials to the Builder.io Service.
Password Management. We have processes designed to enforce minimum password requirements for the Builder.io Service. We currently enforce the following requirements and security standards for end user passwords on the Builder.io Service:
Password Hashing. End user account passwords stored on the Builder.io Service are hashed with a random salt using industry-standard techniques.
Overview. Each time a user signs into the Builder.io Service, the system assigns them a new, unique session identifier.
Sign Out. When signing out of the Builder.io Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Builder.io servers.
Builder.io monitors and updates its communication technologies periodically with the goal of providing network security.
By default all communications from your end users and your visitors with the Builder.io Service are encrypted using industry-standard communication encryption technology. Builder.io currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.
Builder.io regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Access to your visitor and account data stored on the Builder.io Service is restricted within Builder.io to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).
Builder.io currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Builder.io Service.
Builder.io has implemented several employee job controls to help protect the information stored on the Builder.io Service:
The Builder.io software development lifecycle (SDLC) for the Builder.io Service includes many activities intended to foster security:
Builder.io designs, reviews and tests the software for the Builder.io Service using applicable OWASP
The software we develop for the Builder.io Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:
The infrastructure for the Builder.io Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
Builder.io has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
Builder.io's systems for the Builder.io Service are designed to logically separate your data from that of other customers. Builder.io's application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.
The Builder.io Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Builder.io Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project.
Builder.io uses industry-leading cloud platforms (currently Google Cloud Platform and Amazon Web Services) to host its production systems for the Builder.io Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. We rely on their third party attestations of their physical security. Within our headquarters, we employ a number of industry-standard physical security controls.
To minimize privacy and security risks and to help our customers avoid unnecessary compliance costs, we design our products to collect only a limited amount of data. To learn more, please see FAQs about Privacy at Builder.
Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check this page often to view our latest measures. As always, the use of the Builder.io Service is subject to the terms, conditions and disclaimers in our Terms of Service