Account

Security, privacy and compliance

Infrastructure Setup

Cloud Platform: We run our production infrastructure on AWS. Our application is deployed in isolated cloud environments for development and production, with separate access controls, deployment paths, and runtime resources for each environment. We also use managed AI services, including OpenAI, as part of our product architecture.

Environment Isolation: Development and production are separated from each other. Changes are validated in non-production environments before being promoted to production, helping ensure that testing activity remains isolated from live customer workloads.

Deployment Model: Our application is containerized and deployed on Kubernetes. Deployments are performed through authenticated CI/CD workflows and controlled network access, rather than direct public access to production infrastructure.

Infrastructure Automation: We manage infrastructure through infrastructure-as-code using Terraform. Infrastructure changes are version-controlled, reviewed, and deployed through automated workflows, which helps keep environments consistent and auditable.

Code Residency and Deployment

Source Code Repository: Our source code is hosted in private GitHub repositories with access controls and auditability provided by GitHub. Code changes are managed through a controlled review and merge process.

CI/CD: We use GitHub Actions for continuous integration and deployment. Code is built, tested, packaged, and deployed through automated pipelines. These workflows also handle promotion of approved builds from non-production to production environments.

Artifacts: Application build artifacts are stored in private container registries in our AWS environment. Images are versioned for traceability and scanned as part of the delivery pipeline.

If you want, I can make this even more compliance-style and less engineering-flavored.

Disclosure

If you notice a security issue or have a question or concern, you can reach out to our CTO, Nimrod at nimrod@baz.co. We'll respond as soon as possible. Currently, we do not have a bug bounty program.