Bunzed

Security

Security by design,
not by afterthought.

Your code runs on your servers. Your data stays under your control. Here's how we keep it that way.

How we protect you

Security practices

Security isn't a feature we added later. It's built into every layer of the platform.

Your infrastructure, your data

Bunzed runs on servers you control. Your source code, databases, and deployed services never leave your infrastructure. We don’t have access to your instance unless you explicitly grant it.

Encryption in transit and at rest

All traffic between your browser and Bunzed is encrypted via TLS. Deployed services get automatic HTTPS via Let’s Encrypt. Database connections use SSL. Passwords are hashed with bcrypt.

API key security

API keys are SHA-256 hashed before storage — we never store the plaintext key. Keys can be scoped to specific workspaces, set to expire, and revoked instantly from the dashboard.

Container isolation

Each deployed service runs in its own Docker container with capped CPU and memory. Containers are isolated from each other and from the host system. One compromised service can’t affect others.

Audit logging

Every significant action — deployments, database operations, team changes, API key creation — is logged with timestamps and user attribution. Activity logs are accessible per workspace.

Dependency management

We regularly update dependencies and monitor for known vulnerabilities. Our build pipeline uses pinned versions and lock files to prevent supply chain attacks.

Under the hood

Technical details

Authentication

  • OAuth 2.0 via GitHub and Google — we never see or store your OAuth provider password
  • Session tokens stored in PostgreSQL with secure, HTTP-only cookies
  • API keys use SHA-256 hashing with support for expiration and revocation
  • Role-based access control for team workspaces (owner, admin, member, viewer)

Network security

  • Traefik reverse proxy with automatic HTTPS and certificate renewal
  • HTTP requests automatically redirected to HTTPS
  • CORS policies configurable per deployment
  • Rate limiting on authentication endpoints

Data protection

  • Source code is cloned during build and discarded after the container image is created
  • Database credentials are scoped per workspace and not shared across tenants
  • Workspace deletion cascades to all associated databases, deployments, and logs
  • Stripe handles all payment data — credit card numbers never touch our servers

Found a vulnerability?

If you've found a security issue, please report it responsibly. Reach out on Discord (meowingzed) and we'll work with you to understand and fix the issue promptly. We appreciate the help.

Report an issue
Privacy PolicyTerms of Service
Questions? Get in touch