Security Policy

Valoria Ventures, LLC d/b/a BldrOS (“BldrOS”) is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us by our users. This Security Policy describes the technical and organizational measures we employ to protect the BldrOS platform and the information it processes.

This document provides a high-level overview of our security posture. It is not an exhaustive description of every security control. Detailed security documentation and audit reports are available to enterprise customers under NDA upon request at security@bldros.com.

1.1 Cloud Infrastructure

BldrOS operates on a modern cloud-native architecture using established, security-focused infrastructure providers. Our primary infrastructure components include:

• Database and backend services: Supabase, which operates on Amazon Web Services (AWS) infrastructure, provides our PostgreSQL database, authentication services, object storage, and serverless edge functions.
• Application hosting: Vercel provides hosting, content delivery, and edge computing for the web application, operating on a globally distributed network.
• Payment processing: Stripe provides PCI DSS Level 1 certified payment processing infrastructure. BldrOS does not store, process, or transmit cardholder data directly.
• Communications: Twilio provides voice and messaging infrastructure, including call routing, recording storage, and SMS delivery.

1.2 No Self-Managed Servers

BldrOS does not operate physical servers, data centers, or self-managed virtual machines. All infrastructure is managed by the providers listed above, each of which maintains their own SOC 2, ISO 27001, or equivalent security certifications. This approach ensures that physical security, network security, and base infrastructure security are managed by organizations with dedicated security teams and established compliance programs.

2.1 Encryption in Transit

All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher. This applies to web application traffic, API requests, database connections, and communications with third-party service providers. We enforce HTTPS for all connections and employ HTTP Strict Transport Security (HSTS) headers.

2.2 Encryption at Rest

Data stored in our database and object storage is encrypted at rest using AES-256 encryption, as provided by the underlying infrastructure. Database backups are also encrypted. Encryption keys are managed by the infrastructure provider and are not accessible to BldrOS application code.

2.3 Payment Data

BldrOS does not store complete payment card numbers, CVV codes, or bank account numbers. All payment data is collected and processed directly by Stripe, which maintains PCI DSS Level 1 certification — the highest level of certification available in the payment card industry. The Platform stores only transaction metadata (amounts, dates, status) necessary for operational and reporting purposes.

2.4 Communication Records

Call recordings are stored in encrypted object storage with access controlled by organization-level permissions. SMS message content is stored in the encrypted database with the same access controls applied to all organization data. Call transcriptions generated by AI services are stored alongside their source recordings with identical access controls.

3.1 Multi-Tenant Data Isolation

BldrOS is a multi-tenant platform where each organization’s data is logically isolated at the database level. Every table containing organization data includes an organization identifier, and database-level Row Level Security (RLS) policies enforce strict isolation. These policies ensure that database queries can only return data belonging to the authenticated user’s organization, regardless of the application code executing the query. RLS policies are enforced by the database engine itself, providing a defense-in-depth layer independent of application logic.

3.2 Authentication

User authentication is managed through Supabase Auth, which supports email and password authentication with secure password hashing (bcrypt). Session tokens are issued as signed JSON Web Tokens (JWTs) with defined expiration periods. All authentication endpoints are rate-limited to prevent brute-force attacks.

3.3 Authorization

The Platform implements role-based access control (RBAC) at the organization level. Roles define the permissions available to each user, including which data they can view, create, modify, and delete. Role assignments are managed by the organization account owner and are enforced at both the application and database levels.

3.4 Administrative Access

BldrOS platform administrators have the technical ability to access data across organizations for the purposes of platform maintenance, customer support, security investigations, and legal compliance. Administrative access is restricted to authorized personnel, protected by strong authentication, and subject to comprehensive audit logging. All administrative data access is reviewed periodically.

The Platform maintains an immutable, append-only audit log that records significant actions within the system. Each audit log entry includes the identity of the user performing the action, a precise timestamp, the nature of the action, the affected resource, and the values before and after the change. Audit logs are designed to be legally defensible and to support compliance, dispute resolution, and forensic investigation requirements.

Audit logs are retained for a minimum of three (3) years and are protected against modification and unauthorized deletion.

5.1 Secure Development

BldrOS follows secure development practices including code review, dependency management, and automated security scanning. We monitor dependencies for known vulnerabilities and apply patches in a timely manner.

5.2 Input Validation

All user inputs are validated, sanitized, and parameterized before processing to prevent injection attacks. The Platform uses parameterized database queries and content security policies to mitigate common web application vulnerabilities.

5.3 API Security

API endpoints require authentication, enforce rate limiting, and validate all inputs. Sensitive operations require additional authorization checks. API tokens are scoped to the minimum permissions necessary for their intended purpose.

6.1 Incident Detection

BldrOS employs monitoring and alerting systems to detect anomalous activity, unauthorized access attempts, and system failures. Our infrastructure providers also maintain their own monitoring and detection capabilities.

6.2 Response Process

In the event of a confirmed security incident, BldrOS follows a structured incident response process that includes: containment of the incident to prevent further impact, assessment of scope and severity, remediation and recovery, notification of affected users in accordance with applicable law and our contractual obligations, post-incident review and implementation of preventive measures.

6.3 Notification

In the event of a data breach affecting personal information, BldrOS will notify affected users and applicable regulatory authorities as required by law. We aim to provide notification within seventy-two (72) hours of confirming a breach, consistent with GDPR notification requirements and industry best practices. Notifications will include a description of the incident, the types of data affected, the measures taken in response, and guidance for affected individuals.

BldrOS evaluates the security posture of third-party service providers before integration and on an ongoing basis. Our primary service providers maintain the following certifications and compliance frameworks:

• Supabase (AWS): SOC 2 Type II, ISO 27001, and various additional AWS compliance certifications.
• Stripe: PCI DSS Level 1, SOC 2 Type II, ISO 27001.
• Twilio: SOC 2 Type II, ISO 27001, PCI DSS for payment-related services.
• Vercel: SOC 2 Type II.

We maintain data processing agreements with service providers that process personal information on our behalf, which include commitments regarding data handling, confidentiality, and security measures.

Our infrastructure providers maintain high-availability configurations with automated failover, geographic redundancy, and regular backups. Database backups are performed automatically and are stored in encrypted form in a separate geographic location. The Platform is designed to recover from infrastructure failures with minimal downtime.

BldrOS is designed with security and compliance as foundational principles. While we do not currently hold SOC 2 certification, our infrastructure and practices are aligned with SOC 2 Trust Services Criteria and we intend to pursue formal certification as the platform matures. Our platform architecture — including immutable audit logs, row-level security, and comprehensive access controls — is designed to support the compliance requirements of our customers.

BldrOS supports responsible security research. If you discover a potential security vulnerability in the Platform, we ask that you report it to us responsibly:

• Email your findings to security@bldros.com.
• Include a clear description of the vulnerability, steps to reproduce it, and the potential impact.
• Allow us a reasonable period of time (at least ninety (90) days) to investigate and address the issue before public disclosure.
• Do not access, modify, or delete data belonging to other users during your research.
• Do not perform testing that degrades the availability or performance of the Platform for other users.

We commit to acknowledging receipt of your report within two (2) business days and to providing a substantive response within ten (10) business days. We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy.

For security questions, concerns, or vulnerability reports:

Valoria Ventures, LLC d/b/a BldrOS
Security Team
Email: security@bldros.com
Atlanta, Georgia, United States

For enterprise security assessments, questionnaires, or detailed documentation requests, contact security@bldros.com.