Security

How we protect your data

Authentication

Build 365 uses email one-time passwords (OTP) via Supabase Auth. There are no passwords to steal. Sessions are stored in secure httpOnly cookies scoped to the workspace subdomain.

Data isolation

Each workspace is fully isolated at the database level using Row Level Security (RLS). A member of one workspace cannot access another workspace's data — even if they know the IDs.

Webhook security

All inbound webhooks (GitHub, Trello, Vercel) are verified using HMAC signatures before any data is written. Invalid signatures are rejected and logged.

Responsible disclosure

If you discover a security vulnerability, please report it to security@build365.co before public disclosure. We aim to respond within 48 hours and will credit researchers who report valid issues.

Infrastructure

Build 365 runs on Vercel (compute) and Supabase (data). Both platforms maintain SOC 2 compliance. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).