Security
Understanding Builtiful's security model and best practices
Security
Builtiful is designed with security-first principles to protect your code, data, and infrastructure. Learn about our security architecture and best practices.
Security Architecture
🔒 Complete Isolation
Every job runs in a completely isolated environment:
- Dedicated VM per job - No shared compute resources
- Ephemeral infrastructure - VMs are destroyed after each job
- Network isolation - Isolated network for each VM executing jobs
- No persistent storage - All data wiped after job completion
Data Protection
Encryption
At Rest:
- Database encryption using AES-256
- Volume encryption for VM storage
In Transit:
- TLS 1.3 for all API communications
Data Handling
What we store:
- Job metadata (repository, branch, commit SHA)
- Execution metrics (start time, duration, exit code)
- Usage data for billing
- Basic user profile (email, GitHub username)
What we DON'T store:
- Your source code (beyond job execution)
- Job secrets
- Build artifacts or caches
- Secrets or environment variables
- Job output & logs (these are stored by GitHub for your viewing)
Best Practices:
- Use GitHub's secret management
- Rotate secrets regularly
- Never hardcode credentials
- Use least-privilege access tokens
Infrastructure Compliance
Our infrastructure providers are ISO 27001 certified.
Frequently Asked Questions
Can Builtiful access my code?
Your code only exists on our infrastructure during job execution in an isolated VM. It's automatically deleted when the job completes. Our staff has no access to running VMs or your code.
How are secrets handled?
Secrets are managed by GitHub and injected at runtime. Builtiful never stores or has access to your secrets - they're passed directly from GitHub to your isolated runner and destroyed as soon as the job finishes running.
Is my data encrypted?
Yes, all data is encrypted both at rest (AES-256) and in transit (TLS 1.3). This includes job metadata, logs, and any temporary storage.
Can jobs communicate with each other?
No, each job runs in complete network isolation. Jobs cannot communicate with other jobs, even from the same repository.