Trust Centre
How we protect your data, secure the platform, and maintain compliance across every layer of the Bugtri service.
Built on three pillars
Security, privacy, and transparency are embedded in everything we build.
Security
End-to-end encryption, hardened infrastructure, MFA-protected admin access, and continuous monitoring to protect your data at every stage.
Privacy
Your sensitive data is sanitised before reaching any AI. You control what's stored, how long it's kept, and can purge it instantly.
Compliance
Designed to meet UK GDPR, EU GDPR, CCPA/CPRA, and Australian Privacy Act requirements from day one.
Data never leaves unprotected
Before any vulnerability report reaches an AI provider, sensitive data is automatically stripped and replaced with safe tokens.
Email arrives
Report lands in your shared mailbox
Sanitisation
URLs, IPs, emails, domains stripped
AI analysis
Clean text sent via your API key
Token restore
Real values restored in final email
Delivered
Complete triage in your inbox
Security architecture
Multiple layers of protection across infrastructure, application, and data.
Encryption
TLS 1.2+ for all data in transit. AES-256-GCM encryption at rest for OAuth tokens, API keys, and sensitive credentials. Passwords hashed with bcrypt.
Authentication
Email/password with double opt-in verification. TOTP multi-factor authentication for admin accounts. Configurable session idle timeouts and active session tracking.
Infrastructure
Hardened servers with regular patching. Firewall-restricted access. Database connections limited to application layer. Daily encrypted off-site backups.
Application security
Input validation and output encoding against injection attacks. Content Security Policy headers. Rate limiting on auth endpoints. CSRF protection on all forms and APIs.
Incident response
Documented containment and investigation procedures. Notification of affected users and authorities within prescribed legal timeframes. Emergency lockdown mode for immediate access restriction.
Admin controls
Role-based access control (super admin / admin). TOTP MFA required. Session revocation. Comprehensive audit logging. Emergency lockdown with OTP verification.
You control your data
Full ownership and control over what's stored, how long, and when it's deleted.
Configurable retention
Set retention from 7 to 365 days. Choose whether to store vulnerability details or metadata only. Enable auto-purge or trigger manual deletion at any time.
Bring your own AI key
Your API key, your terms. Data is processed under your agreement with the AI provider. Bugtri never sends data using our own keys. No model training on your reports.
Minimal permissions
OAuth mailbox connections use read-only access with minimal scope. We never send from your account, modify messages, or delete emails.
Right to deletion
Request complete deletion of your account and all associated data at any time. We honour data subject access requests under GDPR, CCPA, and the Australian Privacy Act.
Compliance & standards
Bugtri is designed to meet data protection requirements across multiple jurisdictions.
UK GDPR
Data Protection Act 2018
EU GDPR
General Data Protection Regulation
CCPA / CPRA
California Consumer Privacy Act
Australian Privacy Act
Privacy Act 1988 & APPs
PCI DSS (via Stripe)
Level 1 certified payment processing
TLS 1.2+
All data encrypted in transit
Third-party integrations
We follow the principle of least privilege with every external service.
AI providers
OpenAI, Anthropic, Google Gemini. Connected via your own API key. Only sanitised text is transmitted. No data stored by Bugtri on their behalf.
Email providers
Google Workspace and Microsoft 365 via OAuth 2.0. Read-only access with minimal scope. We never send, modify, or delete your emails.
Stripe
PCI DSS Level 1 certified payment processing. No full card details stored by Bugtri. All transactions handled securely by Stripe infrastructure.
Hosting
Primary infrastructure hosted in the United Kingdom. Hardened servers with automated patching, encrypted backups, and restricted network access.
Responsible disclosure
We welcome reports from security researchers.