Complete your vendor security review in under a week
Every artifact a procurement team needs – SIG-Lite, CAIQ-Lite, DPA, subprocessor list, encryption details, audit log retention, IR SLAs, and a 30-minute reference call – without a back-and-forth email thread.
SIG-Lite v1.1.0 · SHA-256: 87cd5256…c51503aa · last reviewed
CAIQ-Lite v1.1.0 · SHA-256: cce4920d…7e461df9 · last reviewed
What every status on this page means
SOC 2 Type 1 + Type 2 audit prep is underwayas of June 2026 – Type 1 target Q3 2026, Type 2 target Q1 2027. Until each attestation report is in hand, we say so. Where the compliance status below reads "Aligned (not certified)" we have the controls in place but no third-party report has been issued yet. Every claim on this page corresponds to a control implemented in code or documented in a policy file – ask security@butterflysecurity.org for the underlying evidence.
Compliance posture
| Framework | Status | Target | Summary |
|---|---|---|---|
| SOC 2 Type 1 | In progress | Q3 2026 | Audit prep underway since June 2026. Scope: Security, Availability, Confidentiality. Independent CPA firm under selection. |
| SOC 2 Type 2 | Planned | Q1 2027 | Three-month observation window planned for Q4 2026 following Type 1 attestation. |
| ISO/IEC 27001:2022 | Aligned (not certified) | – | Controls mapped to Annex A. No certificate today – certification pursued after SOC 2 Type 2 closes. |
| GDPR | Compliant | – | DPA available. Standard Contractual Clauses cover EU-to-US transfers where applicable. Articles 17 and 20 (erasure, portability) implemented in product. |
| CCPA / CPRA | Compliant | – | California Consumer Privacy Act + CPRA aligned. Data-subject rights surfaced in /dashboard/settings/data-rights. |
| HIPAA | Available on request | – | BAA available on the Business tier. Technical and administrative safeguards (45 CFR §164.308, §164.312) implemented. |
| PCI DSS v4.0 | Out of scope | – | Butterfly never touches cardholder data. All billing is processed by Stripe (PCI DSS Level 1 service provider). |
| NIST 800-53 (Moderate baseline) | Aligned (not audited) | – | Self-mapped against the Moderate baseline. Not third-party audited. |
| CIS Controls v8 | Compliant | – | Controls 1, 2, 4, 5 implemented inside the product's compliance check engine. |
Security posture summary
Multi-factor authentication on administrative access
MFA is mandatory on every vendor console (Cloudflare, Supabase, Stripe, GitHub) and on Butterfly's own admin sign-in. Hardware security keys preferred for production secrets.
Single sign-on (SAML 2.0 + SCIM 2.0)
SAML 2.0 SP-initiated and IdP-initiated supported, plus SCIM 2.0 user provisioning and de-provisioning. Available on Business plan.
Encryption in transit
TLS 1.3 only on every endpoint. HSTS enforced. No HTTP fallback. Mixed-content blocked.
Encryption at rest
AES-256-GCM application-layer encryption with purpose-derived subkeys (HMAC-SHA256 from the master ENCRYPTION_KEY). Underlying Cloudflare R2 and Supabase Postgres also encrypt at rest. Credentials encrypt with a separate purpose label from backup data.
Key management
Master key stored as a Cloudflare Worker secret. Purpose-derived subkeys for credentials, backups, integrity, IdP. Annual rotation target. JWKS overlap window supported for signing keys. HSM not used today.
Audit log retention
Every state change writes an immutable row to activity_logs with actor, target, action, timestamp, request ID, source IP. Retention: 365 days.
Tamper-evident export
Customers can export an evidence bundle (JSON + SHA-256 manifest) via /api/export/audit-pack. The manifest detects post-export alteration.
Logical isolation
Row-Level Security on every customer-data table in Postgres. R2 snapshots namespaced by users/<userId>/connections/<connectionId>/backups/<timestamp>/. Server-side jobs explicitly scope every query by tenant.
Data residency
Backup snapshots live in a customer-selected Cloudflare R2 region. Control-plane metadata lives in Supabase Postgres US-East. Enterprise customers can flag specific residency requirements at connection setup.
| Layer | Default | Options | Customer choice |
|---|---|---|---|
| Backup snapshots (Cloudflare R2) | Customer-selected at connection setup | WNAM, ENAM, WEUR, EEUR, APAC, OC | Yes |
| Control-plane metadata (Supabase Postgres) | US-East | US-East | Fixed |
| Application edge (Cloudflare Workers) | Global edge, request served from nearest PoP | Global | Fixed |
Penetration testing
An external penetration test is scheduled for Q3 2026, ahead of the SOC 2 Type 2 observation window. The firm is under selection. No prior third-party penetration test report exists on file – we will not claim one until the engagement is signed and the report delivered. Once the report is issued, a redacted summary will be available to customers under NDA via security@butterflysecurity.org.
Audit log retention
Every state change writes an immutable row to activity_logs with actor, target, action, timestamp, request ID, and source IP. Customers can export a tamper-evident bundle (JSON + SHA-256 manifest) at any time via /api/export/audit-pack.
Incident response
Report vulnerabilities, security concerns, or active incidents to security@butterflysecurity.org. The full security policy is published at /.well-known/security.txt.
- Acknowledgement SLA
- 24 hours, 7 days a week
- Customer notification SLA
- 72 hours from incident classification · Aligned with GDPR Article 34 timing and the majority of US state breach-notification statutes
- Critical triage
- 4 hours
- High triage
- 1 business day
Subprocessors
Full list →Third parties that process customer data on our behalf. Customers are notified in the changelog before a new subprocessor is added.
Cloudflare
SOC 2 Type 2, ISO 27001, PCI DSS 4.0→- Purpose
- Application hosting (Workers), object storage (R2), DNS, edge security
- Data processed
- All customer-facing traffic; encrypted backup snapshots at rest in R2
- Region
- Global edge; R2 buckets pinned to operator-selected region
Supabase
SOC 2 Type 2, HIPAA-eligible→- Purpose
- Postgres database, authentication, realtime channels
- Data processed
- Account metadata, team membership, connection records, activity logs
- Region
- US-East (primary)
- Purpose
- Billing (Checkout, webhooks, Customer Portal) for paying customers
- Data processed
- Billing contact, plan, subscription state. No payment card data ever touches Butterfly.
- Region
- Global (Stripe-managed)
Twilio SendGrid
SOC 2 Type 2, ISO 27001→- Purpose
- Transactional email (verification codes, restore receipts, drift alerts)
- Data processed
- Email address, message metadata, opt-in/opt-out status
- Region
- US (SendGrid-managed)
Resend
SOC 2 Type 2→- Purpose
- Internal founder alerts routed to mick@butterflysecurity.org
- Data processed
- Internal-only. No customer email recipients.
- Region
- US
OpenAI
SOC 2 Type 2→- Purpose
- AI guidance, topology analysis, remediation suggestions (opt-in only)
- Data processed
- Redacted Okta metadata required for the specific prompt. Excluded from model training per API terms.
- Region
- US
Anthropic
SOC 2 Type 2→- Purpose
- AI guidance, alternative model (opt-in only)
- Data processed
- Redacted Okta metadata required for the specific prompt. Excluded from model training per API terms.
- Region
- US
Legal & procurement
Data Processing Agreement
Our standard DPA covers roles, sub-processors, retention by tier, SCCs for EU customers, the 72-hour breach SLA, audit rights, GDPR Articles 17 and 20 (erasure and portability), termination, and liability.
Master Services + BAA
MSA template is available on request. HIPAA Business Associate Agreement (BAA) is available on the Business tier – request via legal@butterflysecurity.org.
Machine-readable trust export
The same source-of-truth data behind this page is published as a structured JSON document at /api/trust/export. Feed it to your vendor-risk tool, or open the questionnaire preview for a category-by-category table view.
Partnerships & verified credentials
Public, third-party-verifiable proofs of Butterfly's relationship with the identity ecosystem.
Okta Elevate Activate Tier Partner
Verified via Credly. Activate is an Okta Elevate partner tier for technology partners with published integrations. This is partner-program status, not an Okta endorsement or product recommendation.
Still need something specific?
Most procurement reviews close in under a week once the SIG-Lite and CAIQ-Lite are downloaded and the DPA is countersigned. For anything not covered here, the founder is one Calendly slot away.