SECURITY
Read-only by default.You approve every write.
Bao reads your stack through OAuth and read-only API tokens. Every write is gated by your approval and logged. We store findings and scores — not your source code.
Our security guarantees
1. Read-only by default.
All integrations are connected using OAuth and read-only API tokens. Bao cannot make changes without your approval.
2. Approval required for every write.
Any action that can modify your systems is shown to you first. You review and approve — always.
3. Audit log for every decision.
Every scan, action, and decision is logged with who, what, when, and why. Logs are immutable and exportable.
4. We do not store your code.
Bao stores findings, scores, and metadata — never your source code or secrets. Your repositories stay yours.
Compliance & certifications
SOC 2 Type II
in progress
GDPR
compliant
HIPAA
not in scope
ISO 27001
on roadmap
Self-hosted
Enterprise
Data residency & storage
US customers
us-east-1
EU customers
eu-west-1
- AES-256 at rest
- TLS 1.3 in transit
- Findings: 90 days default
- Audit logs: 1 year default
- Source code: not retained
What Bao reads from each integration
Github
Repos, code, issues, PRs, workflows, actions, secrets scanning metadata.
Read-onlyVercel
Projects, deployments, domains, environment configs, build & deploy logs.
Read-onlySupabase
Project settings, policies, migrations, tables schema, auth config, edge logs.
Read-onlyStripe
Payments, webhooks, disputes, products, customers (metadata), usage.
Read-onlySentry
Issues, events, releases, stack traces, performance metrics.
Read-onlyAWS
Configuration metadata, IAM, security findings, CloudTrail (read).
Read-onlyRead-only OAuth
Connections cannot change your systems.
Approval-gated writes
You approve every action that can write.
Audit logs exportable
Full traceability. Export anytime.
Region-aware storage
Data stays in your chosen region.
Security should not slow down shipping.
Enterprise-grade security, built for modern teams.