Security Principles

Our security program is built on five non-negotiables:

Least-privilege by default. Every system, every human, every service account starts with zero access and receives only what its role requires.
Defense in depth. No single control is allowed to be the last line of defense. Network, identity, encryption, and application controls overlap.
Customer data isolation. Tenant data is logically segregated; cross-tenant access is blocked at the query layer, not just by policy.
Auditable change. Every production change is logged, reviewable, and tied to a person or service identity.
Secure by default. New customers get the hardened configuration — SSO-ready, audit logs on, retention policies pre-populated.

Infrastructure & Network

Bublly runs on AWS infrastructure behind Cloudflare. Public endpoints terminate TLS at our edge proxy; application, database, queue, and cache services are containerised and isolated from the public internet.

Edge protection. Cloudflare in front of all public endpoints — TLS termination, basic DDoS mitigation, and bot rules. A managed WAF with OWASP rulesets is on the near-term roadmap.
Service isolation. Application server, PostgreSQL, Redis, and RabbitMQ run as separate containers with internal-only networking; only the frontend and API gateway are reachable from the internet.
Data residency. Production data is currently hosted in a single AWS region. Multi-region (EU/US) is contract-only on Enterprise engagements and provisioned per request — not self-serve.
Patching. Container base images and dependencies are updated on a rolling cadence; critical CVEs are prioritised as they are identified.

Encryption

Data is encrypted both at rest and in transit. We never accept un-encrypted traffic on any production endpoint.

In transit: TLS 1.2+ on all customer-facing endpoints (Cloudflare edge + Nginx origin).
At rest: AES-256 via AWS-managed encryption for primary database storage, object storage, and backups.
Secrets: Production secrets are stored outside the codebase and injected at runtime; rotation is manual today, automation is on the roadmap.
Backups: Regular automated database backups with multi-day retention.
Field-level PII masking in the agent UI is on the roadmap.Today, PII redaction is applied inside the AI bot pipeline before prompts reach upstream model providers (see AI & Model Security below).

Access Controls

Customer access:

Email + password with email-OTP verification, and Google Login for end users and agents.
Role-based access control: Three workspace roles today — Admin, User (agent), and Viewer — applied at project level. Granular per-field permissions and additional roles are on the roadmap.
JWT sessions with refresh tokens and server-side revocation on logout.
SSO/SAML, OIDC, and SCIM provisioning are not yet available. They are planned for the Enterprise tier — contact us if this is a procurement blocker and we can share the current timeline.
MFA for agent accounts is on the roadmap.

Internal access:

Production infrastructure access is restricted to a small named engineering group. Access is via SSH keys and jump-host; root credentials are not shared.
Engineers do not query customer conversations as part of normal work. Support-triggered access is logged in our internal incident records.
Employee offboarding revokes infrastructure access and rotates any credentials the offboarded user could have touched.

Application Security

Code review: Production changes go through pull-request review before merge; CI runs lint, type-check, and unit tests on every PR.
Dependency hygiene: Lockfiles are pinned; GitHub Dependabot surfaces vulnerable packages. Automated SAST and SCA gating on merge are on the roadmap.
Input validation: Server-side validation on all API endpoints via class-validator DTOs; parameterised database queries via TypeORM.
Vulnerability reports: Coordinated disclosure via security@bublly.com — see Vulnerability Disclosure below.
Third-party penetration testing and a formal bug-bounty program are on our near-term roadmap and not yet in place.
Security headers: HTTPS-only with HSTS, X-Frame-Options, and Referrer-Policy enforced at the edge; CSP hardening is in progress.

AI & Model Security

Bub AI is built on the same security primitives as the rest of Bublly, with additional controls for AI-specific risks:

No training on customer data by default. Your conversations are not used to train shared models. Per-tenant fine-tuning is opt-in and isolated.
PII redaction before prompt context. Detected PII is masked before reaching the model prompt or response cache.
Prompt injection defenses. User input is treated as untrusted; system prompts are not editable by customer-side inputs; AI outputs are validated before being presented to agents or end users.
Tool authorization scoping. AI agents have explicit per-tool permissions; high-impact actions (refunds above threshold, account changes) require human approval.
Model provider isolation. Upstream model providers are bound by enterprise DPAs that prohibit training on your data and require deletion within contractual windows.

Monitoring & Incident Response

Application monitoring: Centralised container logs and health metrics; on-call engineers are alerted on service-down conditions. Dedicated security-event monitoring (failed-auth spikes, anomalous egress) is on the roadmap.
Activity logs: Project-level activity logs capture admin actions and configuration changes inside the product. Centralised immutable audit logging is on the roadmap.
Incident response: A small engineering team handles incidents directly today. We are working toward documented runbooks and a formal on-call rotation.
Breach notification: If we confirm a security incident materially impacting your data, we will notify affected workspace admins by email and follow the notification obligations applicable to your jurisdiction (DPDP Act, GDPR where relevant).

Vulnerability Disclosure

If you believe you've found a security vulnerability in Bublly, please report it to security@bublly.com with steps to reproduce.

We commit to:

Acknowledgment within 2 business days.
Initial triage within 5 business days.
Regular status updates until resolution, and credit in our security advisories (with your consent).
Good-faith safe harbor for research conducted under our responsible disclosure policy.

Out of scope: automated scanning without coordination, social engineering of employees or customers, denial-of-service testing, and physical attacks.

Sub-processors

Bublly engages a limited set of sub-processors to deliver the service. Each is bound by a written agreement with confidentiality and data-protection obligations equivalent to ours.

The current sub-processor list is available to enterprise customers in their Data Processing Agreement (DPA). Customers are notified of material changes before they take effect, with a right to object.

Compliance & Certifications

Bublly is operated by FABRAINZ INDIA PRIVATE LIMITED. We design our controls to support customer obligations under the DPDP Act 2023 (India) and GDPR (EU/EEA). We are transparent about which certifications we hold today versus which are on our roadmap.

DPDP Act 2023: Our Privacy Policy, Data Deletion process, and consent capture in the widget are aligned with DPDP Act obligations.
GDPR: Our Privacy Policy describes lawful basis, subject rights (access, correction, deletion, portability), and contact channels. A signed Data Processing Addendum (DPA) is available to EU customers on request.
SOC 2 Type II — roadmap, not yet held. We are scoping the audit and will share status when observation period begins.
ISO 27001 — roadmap, not yet certified.
Independent penetration test — planned; no current attestation letter to share.

If you need a specific certification before procurement, reach out — we can share the timeline and discuss interim evidence (architecture diagrams, security questionnaire responses, DPA).

See the Trust Center for the full compliance posture and policy documents.

Security Contact

For security questions, vulnerability reports, or due-diligence requests:

Security inbox: security@bublly.com
General contact: bublly.com/contact
Privacy: Privacy Policy · Data Deletion

Talk to our trust team

Security questionnaires, DPA requests, and architecture briefings are turned around as fast as our team can. If a certification you need is on our roadmap rather than in hand, we'll tell you so up front and share the current target date.

Request security review

Security Principles

Our security program is built on five non-negotiables:

Least-privilege by default. Every system, every human, every service account starts with zero access and receives only what its role requires.
Defense in depth. No single control is allowed to be the last line of defense. Network, identity, encryption, and application controls overlap.
Customer data isolation. Tenant data is logically segregated; cross-tenant access is blocked at the query layer, not just by policy.
Auditable change. Every production change is logged, reviewable, and tied to a person or service identity.
Secure by default. New customers get the hardened configuration — SSO-ready, audit logs on, retention policies pre-populated.

Infrastructure & Network

Edge protection. Cloudflare in front of all public endpoints — TLS termination, basic DDoS mitigation, and bot rules. A managed WAF with OWASP rulesets is on the near-term roadmap.
Service isolation. Application server, PostgreSQL, Redis, and RabbitMQ run as separate containers with internal-only networking; only the frontend and API gateway are reachable from the internet.
Data residency. Production data is currently hosted in a single AWS region. Multi-region (EU/US) is contract-only on Enterprise engagements and provisioned per request — not self-serve.
Patching. Container base images and dependencies are updated on a rolling cadence; critical CVEs are prioritised as they are identified.

Encryption

Data is encrypted both at rest and in transit. We never accept un-encrypted traffic on any production endpoint.

In transit: TLS 1.2+ on all customer-facing endpoints (Cloudflare edge + Nginx origin).
At rest: AES-256 via AWS-managed encryption for primary database storage, object storage, and backups.
Secrets: Production secrets are stored outside the codebase and injected at runtime; rotation is manual today, automation is on the roadmap.
Backups: Regular automated database backups with multi-day retention.
Field-level PII masking in the agent UI is on the roadmap.Today, PII redaction is applied inside the AI bot pipeline before prompts reach upstream model providers (see AI & Model Security below).

Access Controls

Customer access:

Email + password with email-OTP verification, and Google Login for end users and agents.
Role-based access control: Three workspace roles today — Admin, User (agent), and Viewer — applied at project level. Granular per-field permissions and additional roles are on the roadmap.
JWT sessions with refresh tokens and server-side revocation on logout.
SSO/SAML, OIDC, and SCIM provisioning are not yet available. They are planned for the Enterprise tier — contact us if this is a procurement blocker and we can share the current timeline.
MFA for agent accounts is on the roadmap.

Internal access:

Production infrastructure access is restricted to a small named engineering group. Access is via SSH keys and jump-host; root credentials are not shared.
Engineers do not query customer conversations as part of normal work. Support-triggered access is logged in our internal incident records.
Employee offboarding revokes infrastructure access and rotates any credentials the offboarded user could have touched.

Application Security

Code review: Production changes go through pull-request review before merge; CI runs lint, type-check, and unit tests on every PR.
Dependency hygiene: Lockfiles are pinned; GitHub Dependabot surfaces vulnerable packages. Automated SAST and SCA gating on merge are on the roadmap.
Input validation: Server-side validation on all API endpoints via class-validator DTOs; parameterised database queries via TypeORM.
Vulnerability reports: Coordinated disclosure via security@bublly.com — see Vulnerability Disclosure below.
Third-party penetration testing and a formal bug-bounty program are on our near-term roadmap and not yet in place.
Security headers: HTTPS-only with HSTS, X-Frame-Options, and Referrer-Policy enforced at the edge; CSP hardening is in progress.

AI & Model Security

Bub AI is built on the same security primitives as the rest of Bublly, with additional controls for AI-specific risks:

No training on customer data by default. Your conversations are not used to train shared models. Per-tenant fine-tuning is opt-in and isolated.
PII redaction before prompt context. Detected PII is masked before reaching the model prompt or response cache.
Prompt injection defenses. User input is treated as untrusted; system prompts are not editable by customer-side inputs; AI outputs are validated before being presented to agents or end users.
Tool authorization scoping. AI agents have explicit per-tool permissions; high-impact actions (refunds above threshold, account changes) require human approval.
Model provider isolation. Upstream model providers are bound by enterprise DPAs that prohibit training on your data and require deletion within contractual windows.

Monitoring & Incident Response

Application monitoring: Centralised container logs and health metrics; on-call engineers are alerted on service-down conditions. Dedicated security-event monitoring (failed-auth spikes, anomalous egress) is on the roadmap.
Activity logs: Project-level activity logs capture admin actions and configuration changes inside the product. Centralised immutable audit logging is on the roadmap.
Incident response: A small engineering team handles incidents directly today. We are working toward documented runbooks and a formal on-call rotation.
Breach notification: If we confirm a security incident materially impacting your data, we will notify affected workspace admins by email and follow the notification obligations applicable to your jurisdiction (DPDP Act, GDPR where relevant).

Vulnerability Disclosure

If you believe you've found a security vulnerability in Bublly, please report it to security@bublly.com with steps to reproduce.

We commit to:

Acknowledgment within 2 business days.
Initial triage within 5 business days.
Regular status updates until resolution, and credit in our security advisories (with your consent).
Good-faith safe harbor for research conducted under our responsible disclosure policy.

Out of scope: automated scanning without coordination, social engineering of employees or customers, denial-of-service testing, and physical attacks.

Sub-processors

Bublly engages a limited set of sub-processors to deliver the service. Each is bound by a written agreement with confidentiality and data-protection obligations equivalent to ours.

Compliance & Certifications

DPDP Act 2023: Our Privacy Policy, Data Deletion process, and consent capture in the widget are aligned with DPDP Act obligations.
GDPR: Our Privacy Policy describes lawful basis, subject rights (access, correction, deletion, portability), and contact channels. A signed Data Processing Addendum (DPA) is available to EU customers on request.
SOC 2 Type II — roadmap, not yet held. We are scoping the audit and will share status when observation period begins.
ISO 27001 — roadmap, not yet certified.
Independent penetration test — planned; no current attestation letter to share.

If you need a specific certification before procurement, reach out — we can share the timeline and discuss interim evidence (architecture diagrams, security questionnaire responses, DPA).

See the Trust Center for the full compliance posture and policy documents.

Security Contact

For security questions, vulnerability reports, or due-diligence requests:

Security inbox: security@bublly.com
General contact: bublly.com/contact
Privacy: Privacy Policy · Data Deletion

Talk to our trust team

Request security review

Security at Bublly

Security Principles

Infrastructure & Network

Encryption

Access Controls

Application Security

AI & Model Security

Monitoring & Incident Response

Vulnerability Disclosure

Sub-processors

Compliance & Certifications

Security Contact

Talk to our trust team

Security at Bublly

Security Principles

Infrastructure & Network

Encryption

Access Controls

Application Security

AI & Model Security

Monitoring & Incident Response

Vulnerability Disclosure

Sub-processors

Compliance & Certifications

Security Contact

Talk to our trust team