Skip to main content
Base44 handles a lot of security for you out of the box, including data encryption, SOC 2 compliance, and platform-level protections. You do not need to be a security expert to build a safe app on Base44. That said, every app is different, and some settings depend on how your app is built and who uses it. The infromation below walks you through the things worth checking to make sure your app is set up the right way for your situation.
You are responsible for your app’s security settings. Base44 provides the tools, but always review your permissions and run a security scan before you publish.

App security

These features are available to all Base44 users and apply at the individual app level.

App visibility

Choose who can open your app and whether sign-in is required. Options include Private (invite only), Workspace (your team only), or Public (anyone with the link).Choose who can open your app.

Data access rules

Control who can see or edit each type of data in your app. For example, make sure each person only sees their own orders or messages.Base44 recommends the right rules as you build. Customize them any time.

Security scan

Checks your app for common security problems before you share it with others. Finds issues like data that is too open, credentials left in the wrong place, and login gaps.Run this before publishing to catch any issues.

Package vulnerability scanning

Checks the third-party tools and libraries your app uses for known security issues. Flags anything it finds with a severity level so you know what to fix first.Runs automatically as part of the security scan.

Exposed credentials detection

Looks for API keys, passwords, or tokens that have accidentally been left somewhere app visitors could find them, and flags them so you can move them somewhere safe.Runs automatically as part of the security scan.

Login verification checks

Makes sure the parts of your app that run behind the scenes always check who someone is before giving them data. Flags any gaps where a person could access information without being signed in.Runs automatically as part of the security scan.

Secrets management

Store API keys and credentials in an encrypted vault. They are only accessible from your app’s backend and are never exposed to the people using your app.Base44 keeps your credentials secure. You control which integrations use them.

Single sign-on (SSO) for apps

Let your app’s users sign in with their existing company or Google account instead of creating a new password.Optional. Choose which login options are available on your app.

Platform security

Base44 handles these at the platform level. No action needed on your part.
  • SOC 2 Type II certified, confirmed by independent audit
  • ISO 27001 certified, with Base44’s own certification
  • GDPR compliant, with a Data Processing Agreement available on request
  • Data encrypted at rest and in transit
  • Data residency controls (Elite and Enterprise plans), with the option to store your app’s data in the EU, UK, or US. Learn about data residency
  • Penetration testing, conducted regularly by internal and third-party teams
  • Bug bounty program for responsible vulnerability disclosure
  • PCI DSS-certified payment processing for apps that accept payments
  • Subprocessor directory listing all vendors who handle your data
For full details on Base44’s security practices, certifications, and compliance, visit the Base44 Security Trust Center.

Enterprise security

The following features are available on Enterprise plans only.

IP allowlist

Limit who can access your workspace based on their network location. For example, only allow sign-ins from your office or company VPN.

SSO enforcement

Require everyone who uses any app in your workspace to sign in with the same company account. No separate logins per app.

Automatic user provisioning (SCIM)

Automatically add or remove team members in Base44 when they join or leave your organization, based on your company’s HR or IT system.

Audit logs

A complete record of everything that happens in your workspace, including who did what and when. Useful for compliance or security investigations.

Workspace API keys

Create secure keys so your external tools can connect to your workspace programmatically, without needing a personal login.

FAQs

Base44 stores authentication tokens in the browser’s localStorage. HttpOnly cookie storage is not currently available.
When a user logs out, their active session is cleared. For specific session security requirements, contact Base44 support.
HTTP-level security headers such as Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options are not currently configurable at the individual app level.
Per-app CORS configuration is not currently available. Base44 manages CORS at the platform level.
Yes. All public endpoints are rate-limited by default. No configuration is required on your part.