Back

Security and data handling

You are giving us access to apps your teams have built. Here, plainly, is what BWorlds accesses, what it does with it, and what it does not do. If a question is not covered here, ask a cofounder directly.

Our principles

  • Your apps stay yours. The code, the data and the intellectual property are yours. BWorlds claims no rights over them.
  • Least privilege. We request only the access the audit needs, nothing more.
  • Read by default, action on explicit approval. BWorlds analyzes in read mode. No fix is applied and no code is pushed to your repositories without your explicit consent.
  • Transparency. You always know what is being analyzed and why.

What BWorlds accesses

  • The code of the apps you authorize us to analyze, typically the apps your employees built with AI. Nothing else.
  • Your GitHub repository commits, to follow how the code evolves.

By default, BWorlds analyzes only the code and the commits. These do not contain your clients' personal data.

Beyond that, nothing is collected, unless an employee installs the SDK and explicitly turns on error monitoring or session recording. Those features then process usage data from the app. Turning them on is always explicit and stays in your hands.

How your data is processed

To produce the audit, your apps' code is analyzed by OpenAI's models, under their enterprise offering. Accordingly, your data is not used to train the models.

Fixes: you stay in control

By default, BWorlds identifies the issues and shows you how to fix them with your AI tool. For a defined set of fixes, BWorlds can carry out the correction itself, only after your explicit, case-by-case approval. No code is pushed to your repositories without that consent, and you can revoke access at any time.

Hosting and location

  • Hosting: in the United States (Oregon) for now.
  • Encryption: your data is encrypted in transit and at rest.

Retention and deletion

  • Duration: your data is kept for the duration of the contract.
  • Deletion: you can request deletion of your data at any time, and it is deleted at the end of the contract.
  • Revocation: you cut access whenever you want, and analysis stops.

Sub-processors

BWorlds relies on a limited set of providers to operate:

  • Railway infrastructure and app hosting (United States, Oregon)
  • Vercel web interface hosting and deployment
  • OpenAI AI code analysis (enterprise offering)
  • Stripe payment processing

GDPR

Our processing follows GDPR principles: data minimization, restricted access, right to deletion. Since your data is hosted in the United States, its transfer relies on the European Commission's Standard Contractual Clauses (SCCs). A data processing agreement (DPA) is available on request.

What we are not, at this stage

  • We do not hold a SOC 2 or ISO 27001 certification today.
  • We do not yet offer a sovereign or on-premise deployment, and hosting is in the United States. EU data location and sovereign deployment are on our roadmap.

We are running our first enterprise rollouts, and our security posture keeps strengthening. We would rather tell you where we stand than overstate it.

A question about security?

Talk it through directly with a cofounder.

Book a call