Security

UI Bakery is SOC 2 compliant, demonstrating our commitment to maintaining the highest standards of data security and operational integrity. Through our Trust Portal, you can request our latest SOC reports, annual penetration test (pentest) reports, and details about our internal security policies.

This article covers the security infrastructure provided by UI Bakery (data handling, access control, authorization, etc.) as well as information on vulnerability management.

Data handling & storage

UI Bakery only stores your data when using our internal UI Bakery Database.

When using external data sources (database, API, third-party services), UI Bakery only serves as a proxy - we don't store any data returned by your data sources and we don't expose your sensitive credentials to the browser to avoid possible security breaches.

What we do store is only usage metadata, such as:

  • User data (emails, authorised user accounts)

  • Page views and Page URLs

  • Data source data (name, type of data source)

  • Components (types of components)

  • Action data (name, type of action)

  • Audit logs

  • Org settings

  • AI Chat history

Deployment models

Cloud

  • UI Bakery cloud is hosted in Azure data centers on servers that are SOC 1 and SOC 2 compliant.

  • We maintain data redundancy on our cloud instances via regular backups.

  • Gives you full control of UI Bakery and your data as it's securely stored on your own Virtual Private Server (VPS).

  • For self-hosted, we are physically unable to access any data related to your UI Bakery instance.

Network security

UI Bakery connects to your data sources only through whitelisted IPs:

52.176.109.125
20.52.252.203

Access control

By default, only Admins and Editors have all the permissions required to manage data sources. However, you can still manage data source access for Users with a custom role.

If you have a public app, you can enable anonymous access to your data source - but you'll have to consider the security concerns involved in this case.

Authentication & encryption

  • All data source credentials are encrypted.

  • All Cloud connections are encrypted with Transport Layer Security (TLS).

  • You can set up SSO for your self-hosted UI Bakery instance.

  • Multi-factor authentication (MFA) can be enabled to enhance security for your workspace. UI Bakery uses the TOTP (Time-Based One-Time Passwords) 2FA algorithm.

Authorization & roles

Within UI Bakery, authorization is assigned via roles and role permissions.

The default roles include:

  • Admin - can invite and manage other users, change workspace settings, develop, and deploy apps.

  • Editor - can view and develop apps.

  • User - can use applications in the End-user mode and can be a member of a shared permission group.

Apart from these default roles, you can also create and assign custom roles to your users.

Role permissions provide access to apps and data sources.


You can also control user access to applications by setting a Landing page URL for specific user roles. By default, they will be redirected to the path you provide.

Audit logging & monitoring

We keep detailed audit logs of all our internal systems.

Audit logs can be filtered by a certain time period, environment, app, or user. You can also select a specific log level:

  • Log

  • Warn

  • Error

Vulnerability management

Scanning

To maintain the integrity and security of our software, we employ regular scanning of container images. This is a crucial step in identifying and addressing vulnerabilities. We utilize the Trivy tool, a trusted open-source vulnerability scanner, to carry out these scans. Trivy performs comprehensive scans to identify vulnerabilities, which include operating system (OS) and dependency vulnerabilities. This process helps us detect issues before they can be exploited, ensuring your applications are protected from potential threats.

Timely response

In UI Bakery, we understand the urgency of addressing vulnerabilities. We maintain an open channel of communication with security researchers to allow them to report security vulnerabilities responsibly.

Our commitment to security means we have established clear response timelines to ensure the safety and integrity of our software:

  • Direct impact on UI Bakery - In cases where a critical vulnerability directly affects the core of UI Bakery itself, we will initiate immediate action to address the issue.

  • Critical vulnerabilities - Our team is dedicated to delivering a fix within 30 days from the moment a solution becomes available.

  • Other vulnerabilities - Non-critical vulnerabilities are addressed within 60 days of the fix becoming available.

False positive results

Occasionally, security scanners may report false positives incorrectly identifying vulnerabilities with no impact on our software. Here is a list of known false positives:

Improving app securityImplementing row-level securityAI security

Last updated

Was this helpful?