Security first

Security & Trust

Your data stays on your machines. Bleep is built from the ground up with a zero-trust, privacy-first architecture.

Core Principles

100% Local Processing

All scanning and detection runs entirely on your device. Request content is never sent to Bleep servers or any third party.

Selective AI Monitoring

Only traffic to AI services is inspected. All other network traffic passes through completely untouched — zero interference with your regular browsing or apps.

No Data Storage

We never store, log, or access the content of your requests. Only aggregated metadata (detection counts, types) is recorded for audit purposes.

Data Flow Architecture

Understanding exactly what stays local and what touches our cloud.

Local (your device/network)

User / Agent → Bleep Proxy (LOCAL) → AI Service (ChatGPT, Claude, etc.)

All scanning, pattern matching, redaction, and blocking happens here — for browser, IDE, and agent traffic alike.

Content never leaves your machine. Bleep has zero access to it.

Cloud (Bleep servers)

Bleep App → Bleep Cloud

License validation, account management, billing (Stripe), web dashboard.

Only metadata: license keys, detection counts, subscription status.

What We Collect vs. What We Don't

What We Collect (Cloud Only)

  • Account information (name, email, company)
  • License keys and subscription status
  • Aggregated usage metrics (detection counts by type)
  • Application version and platform info
  • IP address for license validation API calls

What We Never Collect

  • Content of your AI requests or responses
  • Source code or proprietary algorithms
  • Credentials, API keys, or passwords
  • PII from your intercepted traffic
  • Browsing history or non-AI network activity

Infrastructure & Encryption

Local Proxy Encryption

The local proxy uses TLS for MITM inspection of AI traffic, ensuring secure interception and forwarding.

Cloud API Encryption

All communication with Bleep cloud (license validation, dashboard) uses TLS 1.3.

Data at Rest

Supabase encrypts all stored data with AES-256. Stripe handles payment data under PCI DSS Level 1.

No Third-Party Analytics

We do not use Google Analytics or any third-party tracking scripts on our website or dashboard.

Sub-Processor Transparency

We rely on a small number of trusted third-party providers for our cloud services. None of them have access to content processed by your local proxy.

ProviderPurposeCertifications
StripePayment processing & billingPCI DSS Level 1, SOC 2 Type II
SupabaseAuthentication & databaseSOC 2 Type II
VercelWeb application hostingSOC 2 Type II

Compliance

Compliant

GDPR

Privacy-by-design architecture. On-prem processing means minimal personal data reaches our cloud.

Architecture Ready

HIPAA

No PHI leaves your environment. Bleep's on-prem design means protected health information stays on your network. BAA available upon request.

Planned

SOC 2 Type II

On our roadmap for enterprise customers. Our cloud infrastructure providers (Supabase, Vercel, Stripe) are already SOC 2 certified.

Roadmap

ISO 27001

Information security management certification on our roadmap as we scale to larger enterprise deployments.

Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of security researchers.

Report a Vulnerability

If you discover a security vulnerability in Bleep, please report it responsibly. Email us at security@bleep-it.com with a detailed description of the issue.

  • We will acknowledge your report within 48 hours
  • We will provide an initial assessment within 5 business days
  • We will not take legal action against researchers acting in good faith
  • We ask that you do not publicly disclose the issue until we have had a chance to address it

Security Questions?

We're happy to answer any security or compliance questions.

contact@bleep-it.comOr use our contact form →