Encryption
How data is encrypted in transit and at rest.
This page describes the encryption controls in place for data flowing in and out of Blanca's Builder.
Last updated: 2026-06-28
This page is maintained by Blanca's IT Professional SL to answer common security, privacy and trust questions about Blanca's Builder.
This page is app-owned editable content. It is not an independent audit or certification.
Security is a shared responsibility between Blanca's IT Professional SL, the platforms we run on (Cloudflare, Supabase) and you as the account owner.
In transit
All HTTP traffic uses TLS 1.2 or higher. HSTS is enabled. Mixed-content requests are blocked. Internal traffic between Cloudflare and Supabase uses TLS.
At rest
Database content is encrypted at rest by Supabase using AES-256 disk encryption. Backups inherit the same encryption.
Secrets and API keys
User-supplied AI provider keys are encrypted at rest with a per-row secret derived from a database-level key. Decryption happens inside server functions only and never reaches the browser.
Passwords
Account passwords are hashed by Supabase Auth using bcrypt. Plaintext passwords are never stored or logged.
Canonical: https://blancasbuilder.com/trust/encryption · Blanca's Builder