BufferAI

Security Policy

Last updated: November 5, 2025

Our Commitment to Security

At BufferAI, security is at the core of everything we do. As an AI compliance and security proxy, we take our responsibility to protect your data seriously. This page outlines our security practices and responsible disclosure policy.

Security Practices

Data Encryption

  • All data in transit is encrypted using TLS 1.3
  • All data at rest is encrypted using AES-256
  • API keys are hashed using bcrypt before storage
  • Sensitive data in logs is automatically redacted

Access Control

  • Multi-factor authentication available for all accounts
  • Role-based access control (RBAC) for organization members
  • API key rotation and expiration policies
  • Principle of least privilege for all internal systems

Infrastructure Security

  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Secure CI/CD pipelines with code signing
  • Infrastructure as Code (IaC) with security scanning
  • DDoS protection and rate limiting

Compliance Monitoring

  • Real-time policy violation detection
  • PII and secrets detection in API requests
  • Comprehensive audit logging
  • Anomaly detection and alerting

Responsible Disclosure Policy

We welcome security researchers and the community to help us maintain the security of BufferAI. If you discover a security vulnerability, please follow these guidelines:

How to Report a Vulnerability

  1. Email us at security@bufferai.dev with details of the vulnerability
  2. Do not disclose publicly until we have had time to address the issue
  3. Provide details including steps to reproduce, potential impact, and any proof-of-concept code
  4. Use encrypted communication if the vulnerability is critical (PGP key available on request)

What to Expect

  • We will acknowledge your report within 48 hours
  • We will provide an estimated timeline for a fix
  • We will keep you updated on our progress
  • We will credit you in our security acknowledgments (if desired)
  • Critical vulnerabilities will be prioritized and patched immediately

Scope

In scope:

  • BufferAI API endpoints (bufferai.dev)
  • Web dashboard (bufferai.dev)
  • Authentication and authorization systems
  • Data leakage or privacy issues

Out of scope:

  • Social engineering attacks
  • Physical attacks on infrastructure
  • Denial of service attacks
  • Third-party services (e.g., OpenAI, Anthropic)

Bug Bounty Program

We are currently evaluating a formal bug bounty program. In the meantime, we appreciate responsible disclosure and will work with researchers to address vulnerabilities promptly.

Security Updates

We regularly update our systems and dependencies to address security vulnerabilities. Critical security updates are applied immediately. Users will be notified of any security issues that may affect their accounts.

Certifications and Compliance

BufferAI is designed to support:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • SOC 2 Type II (in progress)
  • EU AI Act compliance monitoring

Security Acknowledgments

We thank the security researchers and community members who help us maintain the security of BufferAI. Acknowledgments will be listed here as issues are disclosed.

Contact

For security-related inquiries:

  • Email: security@bufferai.dev
  • General support: support@bufferai.dev
← Back to home