Skip to content

Buki / Company

Security

Buki reads the systems your company runs on, so we hold ourselves to the standard of the most sensitive one. What we do today, what is still in progress, and nothing overstated. Written for whoever has to vouch for us internally.

How your data moves

Connect

OAuth connections with least-privilege scopes, read-only wherever the integration allows it. Credentials live in a managed secrets vault, never in application code or logs.

Sync & store

Encrypted in transit (TLS 1.2+) and at rest (AES-256) on a major cloud provider. Every record is scoped to your workspace, and that isolation is enforced at each layer of the stack.

Answer

Retrieval never crosses workspaces, and your data is never used to train shared models. Every answer keeps its source references, so any output can be audited back to the record it came from.

Act

Write actions are scoped per integration, approval-gated, and logged. Payments, offers, and postings wait for a named person. There is no setting that turns this off.

Practices today

Access control

Production access is limited to named engineers behind SSO with hardware-key MFA. Every access is logged and reviewed. Support access to a customer workspace requires that customer’s consent.

Keys & secrets

Encryption keys are held in the cloud provider’s key management service with automatic rotation. Application secrets are vaulted and rotated when roles change.

Backups & recovery

Encrypted backups run daily and are exercised with restore drills. Offboarding deletes primary data immediately and expires backups within 35 days.

Development

Every change is peer-reviewed before deploy. Dependencies are scanned continuously. Staging environments run on synthetic data, never on customer records.

Model providers

LLM inference runs under data-processing agreements, with zero-retention terms where the provider offers them. Prompts and outputs do not train foundation models.

The public demo

Fully isolated from every customer environment. Vantix, Inc. is a fictional company with generated data; no customer record ever appears there.

In progress, stated plainly

SOC 2

In progress

A SOC 2 Type II audit is underway with an independent auditor. The report is published here when it exists, not before.

Penetration testing

In progress

A third-party penetration test is scheduled ahead of general availability. The summary letter will be available under NDA.

Subprocessors & DPAs

In progress

A public subprocessor list and a standard DPA ship at general availability. Both are available on request today.

Your security review

We handle the unglamorous parts on request: questionnaires answered in writing, an architecture walkthrough with your IT lead, and a named contact who replies within two business days.

Reporting

Found something? security@mybuki.ai (placeholder; confirm mailbox before publish). We acknowledge within two business days and will not pursue good-faith research.

Founder review required. Confirm every claim on this page against actual practice before publish. Nothing here may overstate.