Back to Butlers.io

Security

Last updated: February 10, 2026

Our Commitment

At Butlers.io, security is not an afterthought — it is foundational to every decision we make. Your Butlers handle sensitive operations, connect to critical systems, and carry credentials that must be protected at all costs. We treat that responsibility with the seriousness it deserves.

Infrastructure Security

Hosting and Network

  • All services are hosted on industry-leading cloud infrastructure with SOC 2 Type II and ISO 27001 certifications.
  • Network traffic is encrypted in transit using TLS 1.3. Internal service-to-service communication uses mutual TLS (mTLS).
  • Infrastructure is deployed across multiple availability zones for redundancy and high availability.
  • All access to production systems requires multi-factor authentication and is logged and monitored.

Isolation

  • Each Butler operates in an isolated execution environment. Butlers belonging to different teams cannot access each other's resources, secrets, or runtime state.
  • Team boundaries are enforced at the infrastructure level, not just the application level.
  • Butler execution environments are ephemeral and destroyed after each task execution, minimizing the window for potential compromise.

Secrets Management

Each Butler maintains its own private vault for API keys, database credentials, tokens, and other sensitive configuration. Here is how we protect them:

  • Encryption at rest: All secrets are encrypted using AES-256-GCM before being stored. Encryption keys are managed through a dedicated key management service (KMS) with automatic key rotation.
  • Encryption in transit: Secrets are only transmitted over TLS 1.3 encrypted channels.
  • Zero-knowledge access: Butlers.io staff cannot view the plaintext contents of your secrets. Secrets are decrypted only at runtime within the Butler's isolated execution environment.
  • Audit logging: Every access to a secret is logged, including which Butler accessed it and when. These logs are available in your dashboard.
  • Scoped access: Secrets are scoped to individual Butlers. A secret assigned to one Butler is never available to another unless you explicitly configure shared access.

Application Security

Authentication and Authorization

  • User accounts are protected with bcrypt-hashed passwords and optional multi-factor authentication (MFA).
  • API access uses short-lived tokens with configurable expiration and scope restrictions.
  • Role-based access control (RBAC) allows you to define granular permissions for team members across Butlers, skills, and secrets.

Code and Dependencies

  • Our codebase undergoes regular security reviews and penetration testing by independent third-party firms.
  • Dependencies are continuously scanned for known vulnerabilities using automated tooling.
  • We follow secure development lifecycle (SDLC) practices including mandatory code review for all changes.

Butler School Skills

  • All skills submitted to Butler School undergo automated security scanning before publication.
  • Skills are executed within sandboxed environments with limited permissions.
  • Community-reported vulnerabilities in skills are triaged and addressed within 24 hours.

Data Protection

  • Backups: Data is backed up daily with point-in-time recovery available for the past 30 days. Backups are encrypted and stored in a separate geographic region.
  • Retention: Execution logs are retained for 90 days by default. You can configure shorter retention periods to meet your compliance needs.
  • Deletion: When you delete a Butler, its secrets, execution history, and all associated data are permanently purged within 72 hours.
  • Data residency: Primary data storage is in the United States. We are working toward offering regional data residency options.

Incident Response

We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a security incident that affects your data:

  • We will notify affected users within 72 hours of confirmed impact.
  • We will provide clear, actionable guidance on any steps you should take.
  • We will publish a post-incident report detailing root cause, impact, and remediation.

Compliance

We are actively pursuing the following compliance certifications and frameworks:

  • SOC 2 Type II — Audit in progress, expected completion Q2 2026.
  • GDPR — We honor data subject rights for users in the European Union and European Economic Area.
  • CCPA — We comply with the California Consumer Privacy Act for California residents.

Responsible Disclosure

We welcome and appreciate responsible security research. If you discover a vulnerability in our platform, please report it to us at:

security@butlers.io

We ask that you provide us reasonable time to investigate and address the issue before any public disclosure. We do not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.

Questions

If you have questions about our security practices or would like to request additional documentation for your compliance review, contact us at security@butlers.io.