# Security, privacy and compliance

### Infrastructure Setup

**Cloud Platform:** We run our production infrastructure on AWS. Our application is deployed in isolated cloud environments for development and production, with separate access controls, deployment paths, and runtime resources for each environment. We also use managed AI services, including OpenAI, as part of our product architecture.

**Environment Isolation:** Development and production are separated from each other. Changes are validated in non-production environments before being promoted to production, helping ensure that testing activity remains isolated from live customer workloads.

**Deployment Model:** Our application is containerized and deployed on Kubernetes. Deployments are performed through authenticated CI/CD workflows and controlled network access, rather than direct public access to production infrastructure.

**Infrastructure Automation:** We manage infrastructure through infrastructure-as-code using Terraform. Infrastructure changes are version-controlled, reviewed, and deployed through automated workflows, which helps keep environments consistent and auditable.

### Code Residency and Deployment

**Source Code Repository:** Our source code is hosted in private GitHub repositories with access controls and auditability provided by GitHub. Code changes are managed through a controlled review and merge process.

**CI/CD:** We use GitHub Actions for continuous integration and deployment. Code is built, tested, packaged, and deployed through automated pipelines. These workflows also handle promotion of approved builds from non-production to production environments.

**Artifacts:** Application build artifacts are stored in private container registries in our AWS environment. Images are versioned for traceability and scanned as part of the delivery pipeline.

If you want, I can make this even more compliance-style and less engineering-flavored.

#### Disclosure <a href="#securing-our-cloud-environment" id="securing-our-cloud-environment"></a>

If you notice a security issue or have a question or concern, you can reach out to our CTO, Nimrod at <nimrod@baz.co>. We'll respond as soon as possible. Currently, we do not have a bug bounty program.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.baz.co/account/security-privacy-and-compliance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.