Security program
Backbuild operates a defense-in-depth security program that protects customer data throughout its lifecycle. Security is treated as a product requirement rather than a late-stage review step: controls are embedded into the platform's architecture, the software delivery pipeline, and daily operations.
Security-by-design principles
- Least privilege: every human and system identity receives the minimum access required to perform its function, and access is reviewed on a recurring schedule.
- Defense in depth: multiple independent controls protect each asset so that the failure of any single control does not result in compromise.
- Secure defaults: platform features ship with secure configurations; operators must make an explicit and auditable choice to relax them.
- Fail closed: authorization, rate limiting, and input validation deny by default when a decision cannot be made safely.
- Tenant isolation: multi-tenant boundaries are enforced at every layer, from the HTTP edge down to row-level security in the database.
- Auditability: security-relevant events are logged in a tamper-evident store with user attribution and correlation identifiers.
Key control areas
- Encryption in transit and at rest using NIST-approved algorithms with documented key management.
- Authentication via SSO (SAML 2.0 and OIDC), enforced MFA, configurable session policies, and account lockout.
- Access control through role-based permissions, organization-scoped authorization, and row level security policies.
- Vulnerability management with automated dependency scanning, severity-based remediation SLAs, and a software bill of materials per release.
- Monitoring through centralized log aggregation, anomaly detection, and 24x7 on-call coverage for security-relevant alerts.
- Incident response backed by documented runbooks, severity classification, and a post-incident review process.
- Vendor management including sub-processor inventory, due diligence reviews, and contractual data protection commitments.
- Penetration testing with continuous internal adversarial review and a planned annual third-party engagement.
Explore the security program
- Encryption — TLS, AES-256-GCM, key management, cryptographic standards
- Authentication — SSO, MFA, sessions, account lockout
- Access control — RBAC, row level security, access reviews
- Vulnerability management — scanning, SBOM, patch SLAs
- Penetration testing — internal and external adversarial testing
- Responsible disclosure — report a vulnerability
Contact
Security questions, evidence requests, or questionnaires: security@backbuild.ai