Skip to main content
Biscuit handles the security work most non-technical builders shouldn’t have to think about. Apps run on managed cloud infrastructure, data is encrypted in transit and at rest, and authentication uses standard secure patterns. The team is responsible for keeping your app and your users’ data safe, the same way any other production platform would be.

What Biscuit handles

  • All data is encrypted in transit (TLS) and at rest using cloud-provider encryption.
  • API keys you connect (Stripe, email, third-party integrations) are stored encrypted by Biscuit. The decryption happens in a system layer that’s outside the AI-written code, and only at the moment your app makes the outbound request to the external service.
  • User sign-in uses standard secure patterns. Google OAuth is the default; other providers can be added.
  • Apps run on managed cloud infrastructure operated by Biscuit.
  • The platform is kept up-to-date against known vulnerabilities.
  • When you publish, Biscuit runs automated checks on the app config to catch obvious issues before going live. Today this covers payments setup; more checks are on the roadmap.

What you’re responsible for

  • If any API keys you’ve connected are compromised at the provider’s end, you must rotate them yourself (please contact us if you have questions).
  • If your app collects sensitive data from users, you handle legal compliance, privacy policy, and what you do with the data.
  • You configure who can read, write, and delete records in your app’s data. Set those permissions deliberately.

FAQ

On managed cloud infrastructure operated by Biscuit. The team can share detailed architecture on request.
Yes. The Data section of your project lets you export every model as CSV. For full backups, contact the team.

Up next

What is Biscuit?

The platform, who it’s for, and what you can build.

Connecting external APIs

Pull live data from any service into your app.