Security
How we protect your data and what to do if you find a vulnerability.
How we secure your data
- TLS 1.2+ everywhere: all traffic between your browser and our servers, and between our servers and connected platforms, is encrypted in transit. The site is served only over HTTPS.
- Passwords: hashed with Argon2id (memory-hard, modern), never stored in plaintext.
- OAuth tokens: encrypted at rest. Used only when you schedule or trigger a publish. Never logged.
- Source videos: stored on encrypted server volumes, deleted as soon as processing completes (typically minutes).
- Principle of least privilege: our team accesses production data only when necessary for support, and only with your account's explicit permission for support cases.
- Dependency scanning: we run automated vulnerability scans on our application dependencies and patch promptly.
- Backups: encrypted, retained for 30 days max, and tested for restorability.
Hosting
BuildDaily runs on Hetzner Cloud (Germany / EU), which provides physical and infrastructure security including 24/7 monitoring, certified data centers (ISO 27001), and DDoS protection at the edge.
Your part
- Use a strong, unique password (a password manager helps).
- Don't share your account.
- Disconnect connected platforms you no longer use.
- Review your scheduled posts before they go live.
Reporting a vulnerability
If you've found a security issue, please email Support@builddaily.app with details. Include steps to reproduce, the affected URL or endpoint, and any proof-of-concept you have. We will:
- Acknowledge receipt within 2 business days.
- Investigate and respond with a triage assessment within 7 business days.
- Coordinate a disclosure timeline with you (typically 90 days from report to public disclosure, sooner if the issue is fixed sooner).
- Credit you publicly (with your permission) once the fix is shipped.
Please do not access data you do not own, do not perform attacks that could degrade the Service, and do not exploit a vulnerability beyond what's necessary to demonstrate it. We won't pursue legal action against good-faith researchers who follow these rules.
Breach notification
If we discover a breach affecting your data, we will notify you and the relevant authorities within the deadlines required by law (typically 72 hours under GDPR).