Bleenk logo
Sign up

Trust Center

Security at Bleenk

Bleenk Studio is a multi-tenant AI application builder. This page summarizes how we isolate project workspaces, protect credentials, route AI requests, and support enterprise security reviews.

Request accessCompliance

Data access

Role-based (team & project)

Workspace isolation

Per-project sandboxes

Customer API keys

BYOK on paid plans

OverviewComplianceResourcesControlsDataSubprocessorsFAQUpdates
OverviewComplianceResourcesControlsDataSubprocessorsFAQUpdates

Overview

Bleenk Studio lets teams build, run, and deploy full-stack applications with AI agents in isolated dev environments. We process account and billing data, project source code, chat and agent execution history, encrypted credentials for connected services, and deployment configuration. Production cloud hosting uses Kubernetes on AWS (per-project namespaces and network policies) with PostgreSQL, Redis, and object storage for platform and project data. Confidentiality and integrity rely on TLS in production, Fernet encryption for stored secrets and OAuth tokens, scoped agent tooling with approval gates, and team-scoped audit logging.

security@bleenk.app·Privacy Policy

Compliance

Framework alignment for procurement reviews. Formal audit reports are available on request where applicable.

  • GDPR

    Aligned

    Learn more about our GDPR alignment.

  • SOC 2 Type II

    On request

    Learn more about our SOC 2 Type II alignment.

  • ISO 27001

    Roadmap

    Learn more about our ISO 27001 alignment.

  • HIPAA

    On request

    Learn more about our HIPAA alignment.

  • PCI DSS (platform)

    Compliant

    Learn more about our PCI DSS (platform) alignment.

Resources

Request access for gated documents (mailto security@bleenk.app).

  • Compliance

    SOC 2 report

    Request access

  • Questionnaires

    Security questionnaire (SIG / CAIQ)

    Request access

  • Privacy

    Privacy Policy

    View document

  • Product

    Security documentation

    View document

  • Product

    Subprocessor list

    Request access

Controls

View all

Infrastructure security

  • Per-project isolated sandboxes (Kubernetes namespaces with network policies; Docker isolation in local dev)
  • Encryption in transit via HTTPS/TLS for production traffic; optional TLS for PostgreSQL
  • Fernet encryption at rest for deployment OAuth tokens, channel credentials, BYOK keys, and project secrets
  • Network policies restrict ingress and egress between platform services and project workspaces
Learn more

Organizational security

  • Team RBAC with admin, editor, and viewer roles
  • Team and project audit logs with CSV export for workspace admins
  • Optional email 2FA and WebAuthn passkeys for login
  • Email domain allowlist and blocklist for signup compliance

Product security

  • Agent approval gates in Ask mode and pause-for-approval for risky tool calls
  • In-product security scanning with compliance framework labels
  • Command, pod access, and workspace audit logging; CSRF protection and security headers on APIs
  • Rate limiting on sensitive endpoints (for example secret reveal and 2FA)
Learn more

AI security

  • Model routing through a LiteLLM proxy to upstream providers
  • BYOK on paid plans (Basic, Pro, Ultra): encrypted customer keys billed without platform credits when active
  • Project secrets scoped to approved shell execution with output scrubbing
  • Tool-scope gating; dangerous tools require explicit user approval in Ask mode
Learn more

Network security

  • Kubernetes network policies for platform services and project compute namespaces
  • Internal API routes authenticated for cluster-internal callers
  • CORS and CSRF middleware with secure cookie settings
  • Per-container preview hostnames with TLS via ingress in production

Internal security practices

  • Structured audit tables for team actions, agent commands, and pod access
  • Non-blocking background jobs for deploy, snapshots, and agent work
  • Contact security@bleenk.app for incident response and operational security program details

Data collected

Categories of data Bleenk Studio stores or processes when customers use the cloud product. Payment card numbers are not stored on Bleenk servers.

  • Customer account dataYes
  • Source code and project contentYes
  • Chat, agent steps, and command audit logsYes
  • Encrypted API keys and integration tokens (BYOK, Git, deploy providers, MCP, channels)Yes
  • Billing and subscription metadata (via Stripe)Yes
  • Optional product analytics (PostHog, when configured)Yes
  • Employee account data (Bleenk staff)Yes
  • Payment card dataNo
  • Personal health informationNo

Subprocessors

Third parties that process customer data on Bleenk’s behalf for hosted Bleenk Studio, plus providers customers connect voluntarily. Regions reflect typical deployment; confirm current hosting with security@bleenk.app for contracts.

  • Amazon Web Services (AWS)

    Production Kubernetes (EKS), container registry (ECR), object storage (S3), and related cloud infrastructure.

    Regions
    US

  • PostgreSQL database provider

    Platform database (managed PostgreSQL / RDS or hosted Postgres per environment).

    Regions
    US, EU (per deployment)

  • Redis

    Task queue, pub/sub, streams, caching, and rate limiting.

    Regions
    US (in-cluster or managed per deployment)

  • LiteLLM / AI model providers

    LLM API routing; upstream providers include OpenAI, Anthropic, OpenRouter, Groq, Together, DeepSeek, Fireworks, and others configured in the catalog or via customer BYOK keys.

    Regions
    US, Global (provider-dependent)

  • Stripe

    Subscriptions, checkout, and billing webhooks; card data stays with Stripe.

    Regions
    US

  • Resend (or SMTP)

    Transactional email (2FA codes, password reset, invites) when configured.

    Regions
    US

  • Cloudflare

    DNS, TLS, and optional Workers/Pages deployments when customers connect Cloudflare or when the platform uses Cloudflare for certificates.

    Regions
    US, Global

  • GitHub / GitLab / Bitbucket

    Repository access when customers connect version control (OAuth tokens encrypted at rest).

    Regions
    US, EU

  • Deployment platforms (customer-authorized)

    Vercel, Netlify, Cloudflare, Heroku, DigitalOcean, and similar targets when customers deploy from Studio.

    Regions
    US, EU, Global

  • Web search (platform-configured)

    Tavily, Brave Search, or DuckDuckGo when agent web search uses platform API keys.

    Regions
    US

  • PostHog (optional)

    Frontend product analytics when configured; respects Do Not Track in client initialization.

    Regions
    US, EU (PostHog project configuration)

FAQ

Where can I find Bleenk security documentation?
Product security practices are summarized on this Trust Center and in public docs at https://docs.bleenk.app. Enterprise customers can request architecture diagrams, a subprocessors list, and completed questionnaires by emailing security@bleenk.app.
How does Bleenk handle AI and customer data?
Agent prompts and project context are sent to the model path you use: Bleenk’s LiteLLM proxy for built-in models or your own provider keys on paid plans (BYOK). User and project API keys are encrypted at rest. Agents inspect secret key names in project config but do not receive plaintext secret values through config tools; shell tools that need secrets use scoped execution with output scrubbing. Risky agent actions can require explicit approval in Ask mode or via tool contracts.
Do you offer a Data Processing Agreement (DPA)?
Enterprise customers can request a DPA during procurement. Contact security@bleenk.app to start a review.
What is your incident response process?
Report suspected vulnerabilities or incidents to security@bleenk.app. Customer notification practices are shared during enterprise onboarding.
Do you support SSO, SCIM, or HIPAA BAA?
Enterprise SSO/SAML and SCIM are on the product roadmap. Login today supports email/password, OAuth (Google/GitHub), optional email 2FA, and passkeys. HIPAA BAA availability is on request — contact security@bleenk.app.
Where is production hosted? Can we use BYOK?
Hosted Bleenk Studio is multi-tenant on Kubernetes (AWS EKS in production), with per-project isolation. BYOK is available on paid tiers (Basic, Pro, Premium/Ultra): customers store provider API keys encrypted in Bleenk and requests route directly to those providers without consuming platform AI credits.

Updates

View all
  • Jun 2026Product

    Trust Center published

    Security, privacy, and subprocessors summary for Bleenk Studio.

  • May 2026Security

    Team audit log export

    Workspace admins can export team audit events to CSV from the Teams API.

Get started

Build with AI.
Start your first app with Bleenk.

Sign up
Bleenk logo

Product

  • Features
  • Pricing
  • Integrations

Comparisons

  • All comparisons
  • Bleenk vs. Replit
  • Bleenk vs. Lovable

Resources

  • Changelog
  • Blog
  • Case Studies
  • Roadmap

Company

  • About
  • Careers
  • Press
  • Partners
  • Contact

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Trust Center
  • Sitemap
© 2026 Bleenk. Made with ❤️ by Robi Labs.
BleenkBuilt with Bleenk