// Trust & Security Report

    Builder.io, Inc. logo

    Builder.io, Inc.

    Builder.io Visual Development Platform (Visual Copilot is the Figma/design-to-code AI feature; also marketed within Fusion / Publish)

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance: SOC 2 Type II ... Resources: SOC 2 Type 2 _ June 2025 ... DEPRECATED: SOC 2 Type 2 _ 2024

    Verify on trust.builder.io
    SOC 2 Type II (security page corroboration)
    HELD

    Builder is SOC2 Type 2 compliant. Contact us for more details or visit our Trust Report to request access to the report.

    Verify on builder.io
    GDPR
    HELD

    Compliance: SOC 2 Type II / GDPR / CCPA COMPLIANT

    Verify on trust.builder.io
    CCPA
    HELD

    Compliance: ... CCPA COMPLIANT

    Verify on trust.builder.io
    HIPAA
    HELD

    Trust center 'Data collected' lists 'Personal health information' as a data category, but no HIPAA compliance, BAA, or attestation is claimed. Treat as not offered absent confirmation.

    Verify on trust.builder.io
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Builder.io conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. (This references ISO 27005 risk-management *guidelines* only; no ISO 27001 certification is claimed anywhere on the trust center or security page.)

    source: builder.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    United States and other countries (global). Privacy policy: 'Your information may be stored and processed in - and we may transfer information to - the U.S. and other countries.' No EU-only/region-pinned residency offered publicly. Standard cross-border transfer language for EU users.

    Plan-dependent and this is the most important nuance for buyers. Verbatim from the AI-use doc: Free plans -> 'Builder may use customer data to train and improve the AI.' Self-serve paid plans -> 'Customer data may be used to train the AI only if AI content training is toggled On' (opt-in, default behavior should be confirmed in-product). Enterprise plans -> 'Builder does not use customer data from Enterprise accounts for AI training or improvement purposes.' Third-party LLMs -> 'Builder currently uses OpenAI and Anthropic's Claude. We may also use open-source LLMs, such as Mistral or Llama 2' and 'The third-party LLMs we use do not train on your data.' Proprietary models -> 'Builder's proprietary AI models are fully built and trained internally and hosted on Google Cloud.' Marketing/blog claim: 'We don't train on your data.' trains_on_customer_data is recorded as false for paid/enterprise (the directory's relevant audience), but note the free-tier exception.

    // Security controls

    Penetration testing

    Performed (listed as a Product security control on the trust center). Security page also describes manual source-code analysis, peer review, static analysis, threat modeling, and OWASP-based design/testing.

    trust.builder.io

    Bug bounty / VDP

    None found. No HackerOne or Bugcrowd program and no published vulnerability disclosure program located on the vendor domain or via search. Security contact is support@builder.io.

    builder.io

    Encryption

    TLS in transit ('all communications ... are encrypted using ... Transport Layer Security (TLS)'); data encryption at rest ('Data encryption utilized' control); passwords hashed with a random salt; encryption key access restricted.

    builder.io

    Access controls

    SSO, strong passwords and/or 2FA required for employee access to production; least-privilege internal access; account lockout on repeated failed logins; per-session unique identifiers.

    builder.io

    Resilience / availability

    Daily/weekly/monthly backups tested regularly; multi-data-center replication; documented and tested Incident Response Plan; Business Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained.

    trust.builder.io

    Subprocessors (disclosed)

    Google Cloud Platform (primary production hosting + holds internal model hosting), Amazon Web Services (CDN + logging), Fastly (CDN), Anthropic (LLM hosting). Full list available on the trust center.

    trust.builder.io

    Hosting

    Google Cloud Platform and Amazon Web Services. Biometric-controlled data centers; vendor relies on cloud providers' physical-security attestations.

    builder.io

    // Products & data scope

    Visual Copilot (Figma plugin / design-to-code)AI design-to-code

    data: Sends design/Figma content and prompts to third-party LLMs (OpenAI, Anthropic Claude, possibly Mistral/Llama) and to Builder's GCP-hosted internal models. 600,000+ plugin users cited. Third-party LLMs do not train on the data; 'Match My Code Style' / Component Mapping use customer code components.

    GA since March 2024; Visual Copilot 2.0 ('Design to Interactive') announced later. Now folded into Builder's broader platform (Fusion).

    Builder.io Free / self-serve plansVisual CMS + AI

    data: Free tier: customer data MAY be used to train/improve AI. Self-serve paid: AI training only if the customer toggles 'AI content training' On.

    This is the key compliance differentiator vs Enterprise. Procurement-sensitive teams should be on a paid plan with training off, or Enterprise.

    Builder.io EnterpriseEnterprise visual development platform

    data: No customer data used for AI training or improvement. SOC 2 Type II report available under request/NDA. Enterprise SLA and Enterprise Support Terms published.

    Best fit for regulated/security-conscious buyers. Trust center access and SOC 2 report are request-gated (Vanta).

    // What to watch

    • AI-training behavior is plan-dependent: FREE tier may use customer data to train AI; self-serve paid is opt-in; only Enterprise is contractually no-training. The blanket marketing claim 'We don't train on your data' is accurate only for third-party LLMs and for paid/enterprise, not for the free tier.
    • No public bug bounty or VDP program found.
    • No ISO 27001 certification (only ISO 27005 risk-methodology reference). Do not list ISO 27001.
    • Trust center 'Data collected' lists 'Personal health information' and 'Credit card information' as categories, but no HIPAA/PCI attestation is claimed; HIPAA marked unknown/not offered.
    • SOC 2 report and full trust center are request-gated (Vanta) rather than openly downloadable.
    • DPA not directly located in public evidence; GDPR/CCPA posture and subprocessor list are public, but a signed DPA likely sits behind sales/enterprise.

    // At a glance

    Pricing model

    Freemium SaaS: free tier, self-serve paid tiers, and Enterprise (custom). Per the pricing page and 'Pricing' nav.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Builder.io, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.builder.io

    > Browse all vendor trust reports