Security & Trust
Your data stays on your machines. Bleep is built from the ground up with a zero-trust, privacy-first architecture.
Core Principles
100% Local Processing
All scanning and detection runs entirely on your device. Request content is never sent to Bleep servers or any third party.
Selective AI Monitoring
Only traffic to AI services is inspected. All other network traffic passes through completely untouched — zero interference with your regular browsing or apps.
No Data Storage
We never store, log, or access the content of your requests. Only aggregated metadata (detection counts, types) is recorded for audit purposes.
Data Flow Architecture
Understanding exactly what stays local and what touches our cloud.
Local (your device/network)
User / Agent → Bleep Proxy (LOCAL) → AI Service (ChatGPT, Claude, etc.)
All scanning, pattern matching, redaction, and blocking happens here - for browser, IDE, and agent traffic alike.
Content never leaves your machine. Bleep has zero access to it.
Cloud (Bleep servers)
Bleep App → Bleep Cloud
License validation, account management, billing (Stripe), web dashboard.
Only metadata: license keys, detection counts, subscription status.
What We Collect vs. What We Don't
What We Collect (Cloud Only)
- Account information (name, email, company)
- License keys and subscription status
- Aggregated usage metrics (detection counts by type)
- Application version and platform info
- IP address for license validation API calls
What We Never Collect
- Content of your AI requests or responses
- Source code or proprietary algorithms
- Credentials, API keys, or passwords
- PII from your intercepted traffic
- Browsing history or non-AI network activity
Infrastructure & Encryption
Local Proxy Encryption
The local proxy uses TLS for MITM inspection of AI traffic, ensuring secure interception and forwarding.
Cloud API Encryption
All communication with Bleep cloud (license validation, dashboard) uses TLS 1.3.
Data at Rest
Supabase encrypts all stored data with AES-256. Stripe handles payment data under PCI DSS Level 1.
No Third-Party Analytics
We do not use Google Analytics or any third-party tracking scripts on our website or dashboard.
Sub-Processor Transparency
We rely on a small number of trusted third-party providers for our cloud services. None of them have access to content processed by your local proxy.
Compliance
GDPR
Privacy-by-design architecture. On-prem processing means minimal personal data reaches our cloud.
HIPAA
No PHI leaves your environment. Bleep's on-prem design means protected health information stays on your network. BAA available upon request.
SOC 2 Type II
On our roadmap for enterprise customers. Our cloud infrastructure providers (Supabase, Vercel, Stripe) are already SOC 2 certified.
ISO 27001
Information security management certification on our roadmap as we scale to larger enterprise deployments.
Responsible Disclosure
We take security vulnerabilities seriously and appreciate the work of security researchers.
Report a Vulnerability
If you discover a security vulnerability in Bleep, please report it responsibly. Email us at contact@bleep-it.com with a detailed description of the issue.
- We will acknowledge your report within 48 hours
- We will provide an initial assessment within 5 business days
- We will not take legal action against researchers acting in good faith
- We ask that you do not publicly disclose the issue until we have had a chance to address it
Security Questions?
We're happy to answer any security or compliance questions.