Security

Last updated: April 19, 2026

Builder of Builders is a trust-based community platform. Security — of our infrastructure, our members' data, and the integrity of our invite-only model — is core to everything we build.

1. Our Approach

We take a layered security approach. No single layer is expected to be perfect; multiple layers combine to resist failures and attacks while keeping the platform usable for the community.

2. Infrastructure

  • Application hosting: Vercel (SOC 2 Type II certified)
  • Database and authentication: Supabase (SOC 2 Type II certified)
  • File storage: encrypted object storage via our infrastructure providers
  • DNS and short links: managed through enterprise DNS providers with DNSSEC support

3. Data Protection

3.1 Encryption

  • In transit: TLS 1.2+ on all connections
  • At rest: AES-256 encryption for databases and storage

3.2 Data Isolation

Member data is isolated using row-level security (RLS) policies enforced at the database layer. Each member's private data is scoped to their account; public data (public profiles, ventures, signals) is exposed only where explicitly configured.

3.3 Backups

  • Automated daily database backups
  • Point-in-time recovery available
  • Backups encrypted at rest

4. Authentication and Access

  • Passwords are hashed using industry-standard algorithms (bcrypt)
  • Authentication sessions use secure, HTTP-only cookies
  • OAuth-based sign-in uses PKCE to prevent authorization code interception
  • Rate limiting on authentication endpoints prevents brute force attempts

5. Invitation Integrity

The invite-only nature of Builder of Builders is a security feature. We protect it through:

  • Unique, signed invitation tokens that expire after acceptance or timeout
  • Invite attribution — every accepted invite is linked to the inviter for audit
  • Abuse detection on invitation patterns
  • Ability to revoke invitations at any time before acceptance

6. Application Security

  • Code reviewed before deployment
  • Automated testing including Playwright end-to-end tests
  • Dependency vulnerability scanning
  • Secret scanning prevents accidental credential exposure

7. Monitoring and Incident Response

  • Continuous monitoring for errors, anomalies, and security events
  • Event logging for key application and security actions
  • Documented incident response procedures
  • Member notification in the event of a material security incident

8. Privacy

For how we handle personal data, see our Privacy Policy.

9. Responsible Disclosure

If you discover a security vulnerability in Builder of Builders:

  • Email: security@builderofbuilders.com
  • Provide sufficient detail to reproduce the issue
  • Give us reasonable time to respond before public disclosure
  • Do not access or modify other members' data

We welcome good-faith security research and will acknowledge reports promptly.

10. Member Responsibilities

As a member, you also play a role in security. We ask that you:

  • Use a strong, unique password (or OAuth sign-in)
  • Do not share your account credentials
  • Report suspicious behavior from other members to support@builderofbuilders.com
  • Keep your profile and contact information accurate

11. Contact

  • Security issues: security@builderofbuilders.com
  • Privacy inquiries: privacy@builderofbuilders.com
  • General questions: support@builderofbuilders.com
  • Website: builderofbuilders.com