Security
1. Infrastructure Security
bcz.co is built on a secure, modern infrastructure designed to protect your websites, data, and customers.
- Cloudflare CDN: All sites are served through Cloudflare's global CDN, providing DDoS protection, WAF (Web Application Firewall), and edge caching for fast, secure delivery worldwide.
- HTTPS everywhere: Every site hosted on bcz.co gets a free SSL certificate automatically. All connections are encrypted with TLS 1.2+ encryption. HTTP connections are automatically redirected to HTTPS.
- HSTS enabled: HTTP Strict Transport Security is enabled to prevent downgrade attacks.
- Isolated hosting: Each user's site data is isolated from other users. There is no cross-contamination of data between accounts.
2. Data Protection
We take the security of your data seriously:
| Data Type | Protection |
|---|---|
| Account credentials | OAuth-based authentication — we never store passwords |
| Site content | Encrypted at rest and in transit |
| Payment data | Handled by PCI DSS Level 1 compliant processors (Stripe, PayPal) |
| Customer data (e-commerce) | Encrypted storage, access controls, minimal retention |
| Media uploads | Served via CDN with access controls |
We follow the principle of least privilege — employees and systems only have access to the data they need to perform their functions.
3. Payment Security
We do not handle payment card data directly. All payment processing is delegated to trusted, certified processors:
- Stripe: PCI DSS Level 1 compliant. Card numbers and payment details are collected and processed entirely by Stripe's infrastructure.
- PayPal: PCI DSS Level 1 compliant. Payment is handled through PayPal's secure payment flow.
We receive only a payment confirmation token and subscription status. We never see, store, or process your credit card number, CVV, or banking details.
4. Authentication
We use industry-standard OAuth 2.0 and OpenID Connect (OIDC) protocols for authentication:
| Provider | Protocol |
|---|---|
| OAuth 2.0 / OIDC | |
| Apple | Sign in with Apple (OIDC) |
| GitHub | OAuth 2.0 |
| OAuth 2.0 | |
| OAuth 2.0 |
- Session tokens: JWT (JSON Web Tokens) signed with HS256, with a 24-hour expiry
- No password storage: We never receive, store, or manage passwords. Authentication is fully delegated to identity providers.
- CSRF protection: All forms and API endpoints are protected against Cross-Site Request Forgery attacks.
5. Site Security for Your Visitors
Every site hosted on bcz.co benefits from:
- Free SSL: Automatic HTTPS for every site, including custom domains
- DDoS protection: Cloudflare's enterprise-grade DDoS mitigation protects your sites from attacks
- Content Security Policy: Configurable CSP headers to prevent XSS attacks on your sites
- Secure headers: X-Frame-Options, X-Content-Type-Options, and other security headers are set by default
6. What We Do Not Do
- No third-party advertising trackers on our platform
- No tracking pixels or advertising beacons
- No cross-site tracking cookies
- No fingerprinting or device identification
- No data sales or sharing with advertisers
- No access to your site analytics data by third parties
7. Vulnerability Reporting
We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability in bcz.co, please report it to:
Email: security@bcz.co
What to Include
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any proof-of-concept code or screenshots
Our Commitment
- We will acknowledge receipt within 24 hours
- We will provide an initial assessment within 72 hours
- We will work with you to understand and resolve the issue
- We will credit you in our security acknowledgments (unless you prefer to remain anonymous)
- We will not take legal action against researchers acting in good faith
Scope
The following are in scope for security reports:
- bcz.co and all subdomains
- The website builder application and editor
- The e-commerce checkout flow
- User authentication and account management
- API endpoints
Third-party services (Stripe, PayPal, OAuth providers) are out of scope. Please report vulnerabilities in those services directly to the respective provider.
8. Security Updates
bcz.co is a cloud-hosted platform, so security updates are deployed instantly — every page load gets the latest version. There are no update mechanisms to manage, no patches to install, and no version fragmentation. Your sites are always running on the most secure version of our platform.