Security

Your cloud access keys and secrets are encrypted using AES-256-GCM before being written to the database. This is an authenticated encryption algorithm that provides both confidentiality and integrity guarantees — meaning that if the ciphertext is tampered with, decryption will fail rather than silently returning corrupted data.

Encryption keys are stored separately from the credential data they protect, following the principle of key separation. This means that a compromise of the database alone would not expose plaintext credentials.

Credentials are never logged, never included in API responses, and are decrypted only transiently in memory to fulfill the specific storage operation you requested. Once the operation completes, the plaintext key material is discarded.

All communication between your browser and BringBucket's servers is encrypted using TLS (Transport Layer Security) version 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) to ensure your browser always connects over a secure channel, and we reject all insecure HTTP connections.

Similarly, all API calls made by BringBucket on your behalf to your cloud storage provider use TLS-encrypted connections. We do not transmit your cloud credentials or your file data over unencrypted channels under any circumstances.

BringBucket runs on enterprise-grade cloud infrastructure with automated backups, geographic redundancy, and continuous uptime monitoring. Our hosting environment is designed for high availability with graceful failover in the event of component failure.

Access to production systems is restricted exclusively to authorized personnel. All production access requires multi-factor authentication (MFA), and sessions are logged and auditable. We apply the principle of least privilege — each team member and service account is granted only the minimum permissions necessary to perform their role.

Dependency and container images are regularly updated to patch known vulnerabilities. Security patches for critical CVEs are applied on an expedited basis.

Each BringBucket workspace has granular role-based access control (RBAC) to ensure the right people have the right level of access:

• Owner — Full control over the workspace, including billing, provider configuration, and member management.
• Admin — Can manage members and configure providers, but cannot change billing details or delete the workspace.
• Member — Can browse, upload, and download files within assigned storage buckets.
• Viewer — Read-only access; can browse and download files but cannot make changes.

File sharing uses scoped, pre-signed URLs generated directly by your cloud provider. These URLs are time-limited and expire after the duration you configure, ensuring that shared links do not provide indefinite access.

BringBucket takes the security of our platform and our users' data seriously. If you discover a security vulnerability, we encourage responsible disclosure:

• Email your findings to security@bringbucket.com. Please provide enough detail to reproduce and assess the issue.
• We will acknowledge receipt of your report within 48 hours and keep you informed of our progress.
• We aim to resolve critical and high-severity issues within 72 hours of confirmation.
• We do not take legal action against researchers who report vulnerabilities in good faith and adhere to responsible disclosure practices.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it, and that you do not access, modify, or delete any user data during your research.