Security & SLA

At Builtrly, security is not an afterthought — it is foundational to everything we build. We design our infrastructure, processes, and product features with the assumption that threats exist at every layer. This document describes our security posture, the measures we take to protect your business data, and the service commitments we make to ensure the Builtrly platform is reliable, fast, and available when you need it.

This Security & SLA policy applies to all users of the Builtrly platform, including merchants, their team members, and end customers interacting with Builtrly-powered storefronts.

Builtrly’s platform is built on enterprise-grade cloud infrastructure with global redundancy:

• Distributed hosting: Our application servers and databases are deployed across multiple availability zones to eliminate single points of failure.
• Global CDN: Merchant storefronts are served from a global content delivery network, ensuring fast page loads for customers regardless of location.
• Auto-scaling: Our infrastructure automatically scales to handle traffic spikes during promotions or high-demand periods, without any action required from merchants.
• Database clustering: All databases use clustered, highly-available configurations with automatic failover.
• Zero-downtime deployments: Platform updates and new feature releases are deployed without interrupting merchant store availability.

3.1 Uptime Commitments

3.2 What Counts as Downtime

“Downtime” means any period during which your storefront or dashboard is completely inaccessible due to Builtrly infrastructure failures — excluding:

• Scheduled maintenance windows (announced at least 48 hours in advance);
• Outages caused by third-party services (e.g., payment gateways);
• Force majeure events (natural disasters, government actions, widespread internet failures);
• Issues caused by your own code, configurations, or actions;
• Malicious attacks against your store (e.g., DDoS attacks) or massive, unannounced traffic spikes that exceed reasonable platform limits;
• Degraded performance or timeouts related to "Beta", "Preview", or experimental features (including third-party LLM timeouts for the Builtrly AI Agent).

3.3 Service Credits

If we fail to meet the uptime SLA for your plan in any given calendar month, you are entitled to a service credit:

• 1 day credit for each hour of unplanned downtime beyond the SLA threshold, up to a maximum of 30 days.
• Credits must be claimed within 30 days of the incident by contacting hello@builtrly.app.
• Credits are applied to future subscription payments and cannot be exchanged for cash.
• Sole Remedy: The issuance of service credits is your sole and exclusive remedy for any downtime, performance degradation, or failure to meet the SLA.

Builtrly does not process, transmit, or store card numbers, CVV codes, or bank PINs on its servers. All payment processing is delegated to PCI-DSS Level 1 compliant processors.

• All checkout pages use HTTPS with TLS 1.2+ encryption.
• Card data never touches Builtrly servers — it is tokenized at source by the payment gateway.
• Bank account numbers used for merchant payouts are encrypted at rest and only decrypted during payout processing.
• All payout requests undergo automated fraud checks before processing.
• We implement rate limiting and anomaly detection on payment-related API endpoints to prevent abuse.

• Encryption in transit: All data transmitted between your browser/app and Builtrly servers is encrypted using TLS 1.2 or higher. We enforce HTTPS-only access across all endpoints.
• Encryption at rest: All databases, file storage, and backups are encrypted at rest using AES-256.
• Data isolation: Each merchant’s data is logically isolated at the application layer. Row-level security is enforced in the database to prevent cross-merchant data access.
• Minimal data collection: We collect only the data necessary to provide our services. We do not sell your data to third parties.
• Right to deletion: Merchant accounts and their associated data can be permanently deleted upon request. See our Privacy Policy for retention timelines.

• Multi-factor authentication (MFA): We strongly recommend and support MFA for all merchant accounts.
• Role-based access control (RBAC): Merchants can grant staff access with specific, limited permissions to prevent unauthorized actions.
• Session management: Sessions are automatically expired after a period of inactivity. All active sessions can be viewed and revoked from your account settings.
• Internal access: Builtrly staff access to production data is restricted to authorized personnel only, uses MFA, and is logged and audited.
• Privileged access reviews: Internal access controls are reviewed quarterly to ensure the principle of least privilege is maintained.

We have a formal incident response plan for security events and outages:

• Detection: 24/7 automated monitoring and alerting for infrastructure anomalies, security events, and performance degradation.
• Containment: Immediate isolation of affected systems to prevent further damage or data exposure.
• Notification: In the event of a confirmed data breach affecting merchant or customer data, we will notify affected merchants within 72 hours of discovery, in accordance with the Nigeria Data Protection Act 2023.
• Remediation: Root cause analysis and permanent fixes are implemented following every significant incident.
• Post-incident review: All significant incidents result in a post-mortem review and public or private disclosure as appropriate.

• We conduct regular internal security assessments and code reviews.
• Third-party penetration tests are conducted at least annually.
• All software dependencies are monitored for known vulnerabilities using automated scanning tools. Critical patches are applied within 24 hours of release.
• We operate a responsible disclosure policy (see Section 12) that rewards external security researchers who report valid vulnerabilities.

We take the security of our supply chain seriously. All third-party vendors with access to Builtrly systems or data are required to:

• Maintain appropriate security certifications (e.g., PCI-DSS, ISO 27001, SOC 2) relevant to their scope;
• Execute data processing agreements consistent with the Nigeria Data Protection Act 2023;
• Undergo security review prior to onboarding.

A list of key sub-processors is available upon request at security@builtrly.app.

• Automated backups: All databases are backed up every 6 hours. Backups are retained for 30 days (paid plans) or 7 days (free plan).
• Geographic redundancy: Backups are stored in a separate geographic region from primary data.
• Recovery time objective (RTO): In the event of a full system failure, we target recovery within 4 hours for paid plans.
• Recovery point objective (RPO): Our target RPO is 6 hours, meaning data loss in a worst-case scenario is limited to the most recent 6-hour backup window.
• Tested regularly: Backup integrity and restoration procedures are tested quarterly.
• Platform-level only: Backups are maintained strictly for full-platform disaster recovery. We do not guarantee the ability to restore individual merchant records (e.g., accidentally deleted products or customers). Merchants are strongly advised to keep their own CSV exports of critical data.

Builtrly operates in compliance with the following regulations and standards, where applicable:

• Nigeria Data Protection Act 2023 (NDPA) and NDPR 2019 — our primary data protection framework;
• PCI-DSS — we partner exclusively with PCI-DSS certified payment processors;
• NITDA Guidelines — we comply with guidelines issued by the National Information Technology Development Agency;
• CBN Regulations — payment operations are conducted in alignment with Central Bank of Nigeria directives applicable to our payment partners.

We take security reports seriously and have a responsible disclosure policy. If you discover a potential security vulnerability in the Builtrly platform, please report it to us promptly:

We will not pursue legal action against researchers who report vulnerabilities in good faith, comply with our disclosure policy, and do not access, modify, or disclose data belonging to other users.

For all other security concerns or questions, please contact hello@builtrly.app or visit our Help Center.