// Trust & Security Report
Builder.io, Inc.
Builder.io Visual Development Platform (Visual Copilot is the Figma/design-to-code AI feature; also marketed within Fusion / Publish)
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.builder.io“Compliance: SOC 2 Type II ... Resources: SOC 2 Type 2 _ June 2025 ... DEPRECATED: SOC 2 Type 2 _ 2024”
Verify on builder.io“Builder is SOC2 Type 2 compliant. Contact us for more details or visit our Trust Report to request access to the report.”
Verify on trust.builder.io“Trust center 'Data collected' lists 'Personal health information' as a data category, but no HIPAA compliance, BAA, or attestation is claimed. Treat as not offered absent confirmation.”
> Show 1 unconfirmed / not-held certifications
source: builder.ioBuilder.io conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. (This references ISO 27005 risk-management *guidelines* only; no ISO 27001 certification is claimed anywhere on the trust center or security page.)
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
United States and other countries (global). Privacy policy: 'Your information may be stored and processed in - and we may transfer information to - the U.S. and other countries.' No EU-only/region-pinned residency offered publicly. Standard cross-border transfer language for EU users.
Plan-dependent and this is the most important nuance for buyers. Verbatim from the AI-use doc: Free plans -> 'Builder may use customer data to train and improve the AI.' Self-serve paid plans -> 'Customer data may be used to train the AI only if AI content training is toggled On' (opt-in, default behavior should be confirmed in-product). Enterprise plans -> 'Builder does not use customer data from Enterprise accounts for AI training or improvement purposes.' Third-party LLMs -> 'Builder currently uses OpenAI and Anthropic's Claude. We may also use open-source LLMs, such as Mistral or Llama 2' and 'The third-party LLMs we use do not train on your data.' Proprietary models -> 'Builder's proprietary AI models are fully built and trained internally and hosted on Google Cloud.' Marketing/blog claim: 'We don't train on your data.' trains_on_customer_data is recorded as false for paid/enterprise (the directory's relevant audience), but note the free-tier exception.
// Security controls
Penetration testing
Performed (listed as a Product security control on the trust center). Security page also describes manual source-code analysis, peer review, static analysis, threat modeling, and OWASP-based design/testing.
trust.builder.ioBug bounty / VDP
None found. No HackerOne or Bugcrowd program and no published vulnerability disclosure program located on the vendor domain or via search. Security contact is support@builder.io.
builder.ioEncryption
TLS in transit ('all communications ... are encrypted using ... Transport Layer Security (TLS)'); data encryption at rest ('Data encryption utilized' control); passwords hashed with a random salt; encryption key access restricted.
builder.ioAccess controls
SSO, strong passwords and/or 2FA required for employee access to production; least-privilege internal access; account lockout on repeated failed logins; per-session unique identifiers.
builder.ioResilience / availability
Daily/weekly/monthly backups tested regularly; multi-data-center replication; documented and tested Incident Response Plan; Business Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained.
trust.builder.ioSubprocessors (disclosed)
Google Cloud Platform (primary production hosting + holds internal model hosting), Amazon Web Services (CDN + logging), Fastly (CDN), Anthropic (LLM hosting). Full list available on the trust center.
trust.builder.ioHosting
Google Cloud Platform and Amazon Web Services. Biometric-controlled data centers; vendor relies on cloud providers' physical-security attestations.
builder.io// Products & data scope
data: Sends design/Figma content and prompts to third-party LLMs (OpenAI, Anthropic Claude, possibly Mistral/Llama) and to Builder's GCP-hosted internal models. 600,000+ plugin users cited. Third-party LLMs do not train on the data; 'Match My Code Style' / Component Mapping use customer code components.
GA since March 2024; Visual Copilot 2.0 ('Design to Interactive') announced later. Now folded into Builder's broader platform (Fusion).
data: Free tier: customer data MAY be used to train/improve AI. Self-serve paid: AI training only if the customer toggles 'AI content training' On.
This is the key compliance differentiator vs Enterprise. Procurement-sensitive teams should be on a paid plan with training off, or Enterprise.
data: No customer data used for AI training or improvement. SOC 2 Type II report available under request/NDA. Enterprise SLA and Enterprise Support Terms published.
Best fit for regulated/security-conscious buyers. Trust center access and SOC 2 report are request-gated (Vanta).
// What to watch
- AI-training behavior is plan-dependent: FREE tier may use customer data to train AI; self-serve paid is opt-in; only Enterprise is contractually no-training. The blanket marketing claim 'We don't train on your data' is accurate only for third-party LLMs and for paid/enterprise, not for the free tier.
- No public bug bounty or VDP program found.
- No ISO 27001 certification (only ISO 27005 risk-methodology reference). Do not list ISO 27001.
- Trust center 'Data collected' lists 'Personal health information' and 'Credit card information' as categories, but no HIPAA/PCI attestation is claimed; HIPAA marked unknown/not offered.
- SOC 2 report and full trust center are request-gated (Vanta) rather than openly downloadable.
- DPA not directly located in public evidence; GDPR/CCPA posture and subprocessor list are public, but a signed DPA likely sits behind sales/enterprise.
// At a glance
Pricing model
Freemium SaaS: free tier, self-serve paid tiers, and Enterprise (custom). Per the pricing page and 'Pricing' nav.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Builder.io, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.builder.io