Isolation & Security

How BuildGreenfield keeps your projects secure and isolated

Project Isolation

Every BuildGreenfield project runs in a completely isolated environment. This ensures:

  • No data leakage between projects
  • Independent resource allocation
  • Secure multi-tenancy
  • Predictable performance

What’s Isolated?

Compute

Each project runs in its own container with:

  • Dedicated CPU and memory allocation
  • Network isolation (private VPC)
  • Process-level sandboxing

Database

Every project gets its own database instance:

  • Separate PostgreSQL/MongoDB/MySQL database
  • Isolated connection pool
  • Encrypted at rest and in transit
  • No shared tables or data

Storage

File storage (MinIO/S3) is isolated per project:

  • Separate storage buckets
  • Access control via signed URLs
  • No cross-project access

Secrets

Environment variables and API keys:

  • Encrypted using AES-256
  • Scoped to project only
  • Never logged or exposed in UI
  • Rotatable on demand

Security Architecture

Data Encryption

At Rest

All data is encrypted at rest using industry-standard encryption:

  • Databases: Transparent data encryption (TDE)
  • File Storage: Server-side encryption (SSE)
  • Secrets: AES-256-GCM encryption
  • Backups: Encrypted before storage

In Transit

All network communication uses TLS 1.3:

  • HTTPS for all web traffic
  • Encrypted database connections
  • Secure WebSocket connections for logs
  • Certificate pinning for API calls

Access Control

Authentication

  • Multi-factor authentication (MFA) support
  • Session timeout after inactivity
  • Device tracking and management
  • SSO via SAML/OAuth (Team plan)

Authorization

  • Role-based access control (RBAC)
  • Project-level permissions
  • Workspace-level permissions
  • API key scoping and expiration

Code Security

Generated Code

All generated code is:

  • Scanned for common vulnerabilities
  • Linted for security best practices
  • Dependencies audited for CVEs
  • Free from hardcoded secrets

Dependency Management

  • Regular dependency updates
  • Automated security patches
  • Vulnerability scanning (npm audit, Snyk)
  • License compliance checks

Repo Gateway

The Repo Gateway is our intelligent code management layer that ensures safe, controlled modifications.

How It Works

  1. Request Analysis: AI agents analyze requested changes
  2. Scope Validation: Changes are limited to relevant files
  3. Syntax Check: Code is validated before commit
  4. Test Execution: Automated tests must pass
  5. Version Commit: Changes are versioned and tracked

Path-Scoped Edits

Agents can only modify files within their scope:

  • Frontend Agent: src/components/, src/pages/, public/
  • Backend Agent: src/api/, src/services/, src/models/
  • Database Agent: prisma/, migrations/, schema/
  • Config Agent: package.json, tsconfig.json, .env.example

This prevents cascading errors and makes rollback precise.

Change Review

All changes are tracked in the version history:

  • Diff view (before/after)
  • AI-generated commit messages
  • Test results
  • Rollback option

Compliance

BuildGreenfield follows industry-standard security practices:

Current Certifications

  • ✅ GDPR compliant
  • ✅ CCPA compliant
  • ✅ ISO 27001 practices

In Progress

  • 🔄 SOC 2 Type II (Q2 2025)
  • 🔄 HIPAA compliance (Enterprise)

Incident Response

In the event of a security incident:

  1. Detection: Automated monitoring alerts our team
  2. Containment: Affected systems are isolated
  3. Investigation: Root cause analysis
  4. Notification: Users are informed within 72 hours
  5. Remediation: Patches and fixes deployed
  6. Post-mortem: Public incident report

Best Practices

For Users

  • Enable MFA: Protect your account with two-factor authentication
  • Use Environment Variables: Never hardcode secrets in your code
  • Audit Team Access: Regularly review who has access to your projects
  • Rotate API Keys: Change keys periodically, especially after team member changes
  • Review Generated Code: Audit code before deploying to production

For Team Admins

  • Implement SSO: Centralize authentication for easier management
  • Least Privilege: Grant minimum required permissions
  • Monitor Activity: Review audit logs for suspicious activity
  • Backup Critical Projects: Export code regularly
  • Security Training: Educate team members on security best practices

Reporting Vulnerabilities

Found a security issue? We appreciate responsible disclosure.

Security Contact: security@buildgreenfield.com

PGP Key: Available at buildgreenfield.com/.well-known/pgp-key.txt

We aim to respond within 24 hours and will work with you to address the issue promptly.

Further Reading