Compliance & Security

Master security and compliance for Buzzy applications. Learn server-level protection, Organizations/Teams, Viewers fields, and legal requirements.

Security Is Built Into Buzzy

Non-technical explanation: When you build an app, you're like a store owner responsible for protecting customer information. Buzzy gives you a professional security system (like cameras, locks, and alarms), but you need to configure it correctly—deciding who gets keys to which rooms and what they can access.

When building applications, you accept responsibility for user data and security. Buzzy's no-code platform provides server-level security features that protect your users—but you must configure them correctly.

Why security matters:

This guide covers:

  • ✅ Buzzy's server-level security model (not just UI hiding)

  • ✅ Organizations and Teams for access control

  • ✅ Viewers and Team Viewers fields for data protection

  • ✅ Data protection best practices

  • ✅ Legal compliance requirements (GDPR, privacy)

  • ✅ Complete security configuration checklist

Key Difference: Unlike traditional vibe coding tools that generate code you must secure yourself (and often get wrong), Buzzy provides built-in security features at the platform level. Your job is to configure them correctly for your app's needs—much easier and more reliable than securing generated code.

Understanding Buzzy's Security Model

Security vs. Obscurity

Critical concept: Hiding UI elements is NOT security.

Wrong approach (security by obscurity):

  • Use display rules to hide sensitive data

  • Assume users won't find hidden API endpoints

  • Trust client-side validation only

Right approach (server-level security):

  • Use Viewers fields to control data access at the server

  • Configure Organizations and Teams properly

  • Validate data at the server level (Buzzy handles this)

Example scenario: You build an HR app where employees can view their own salary but not others' salaries.

Bad: Display rule that hides salary field if record.employeeId ≠ $currentUser._id

  • Problem: User can still access the data via API or by inspecting network requests

Good: Viewers field on Salary Datatable set to the employee

  • Buzzy's server enforces this—user literally cannot access other employees' salary data

Learn more about Buzzy's security model

Buzzy's Built-In Security Features

1. Authentication (Handled by Buzzy)

Buzzy provides authentication automatically:

What Buzzy handles:

  • User registration and login

  • Password hashing and storage

  • Session management

  • Password reset flows

  • OAuth integration options

What you configure:

  • Authentication method (email/password, OAuth providers)

  • Password requirements (if using email/password)

  • User profile fields

You don't write authentication code - Buzzy's Core Engine handles this securely.

2. Server-Level Authorization with Viewers Fields

Viewers fields are Buzzy's primary security mechanism for controlling who can access data.

How it works:

  • Add a "Viewers" field to any Datatable

  • Set the field value to user IDs who should have access

  • Buzzy's server enforces access—users not in Viewers cannot see the data

Example: Personal Documents

When user creates a document, set:

viewers: [$currentUser._id]

Result: Only the creator can access this document. Even if another user has the direct URL or API endpoint, Buzzy's server will deny access.

Example: Shared Documents

Document shared with multiple users:

viewers: [creator._id, collaborator1._id, collaborator2._id]

Result: Only these three users can access the document.

Learn more about Viewers fields

3. Team-Based Security with Team Viewers

Team Viewers fields extend security to team-based access control.

How it works:

  • Create Buzzy Teams within Organizations

  • Add "Team Viewers" field to Datatables

  • Set field to Team IDs that should have access

  • All team members automatically get access

Example: Project Management App

Project belongs to "Engineering Team":

teamViewers: [engineeringTeam._id]

Result: All members of Engineering Team can access the project. When team membership changes, access automatically updates.

Benefits:

  • No manual user list management

  • Access updates automatically when team membership changes

  • Scales to large organizations

  • Integrates with Buzzy's Organization structure

4. Organizations for Multi-Tenant Apps

Organizations enable true multi-tenant SaaS applications in Buzzy.

How it works:

  • Each customer gets their own Organization

  • Users belong to Organizations

  • Data is scoped to Organizations

  • No data leakage between Organizations

Example: SaaS Application

You build a project management tool with multiple client companies:

  • Company A users only see Company A projects

  • Company B users only see Company B projects

  • Admins can manage their own organization

Implementation:

  • Use Buzzy's built-in Organization object

  • Link Datatables to Organizations

  • Filter data by $currentUser.organization

Learn more about Organizations pattern

Common Security Mistakes in Buzzy Apps

Mistake 1: Using Display Rules for Security

Wrong:

Display rule: Show "Delete" button only if:
$currentUser.highestRole = "admin"

Problem: User can still call the delete action via API inspection or direct URL.

Right:

  • Add Viewers field to the Datatable

  • Only admins in Viewers can delete

  • Use display rule for UX only (not security)

Remember: Display rules are for user experience, Viewers fields are for security.

Mistake 2: Not Setting Viewers on Sensitive Data

Wrong: Create a Datatable for "Employee Salaries" without Viewers field.

Problem: All authenticated users can potentially access all salary data.

Right:

  • Add Viewers field to "Employee Salaries" Datatable

  • Set to [employee._id, hr._id] when creating records

  • Only the employee and HR can access their salary data

Mistake 3: Exposing API Keys in Buzzy Functions

Wrong:

export const main = async (event) => {
  const apiKey = "sk-abc123hardcoded"; // EXPOSED!
  // ...
};

Problem: API key is visible in your Function code and could leak.

Right:

export const main = async (event) => {
  const apiKey = process.env.API_KEY; // From Buzzy Constants
  if (!apiKey) {
    return { statusCode: 500, body: { error: "API key not configured" } };
  }
  // ...
};

Use Buzzy Constants (encrypted storage) for all sensitive configuration.

Mistake 4: Trusting Client-Side Validation Only

Wrong: Rely on required fields and field validation in Buzzy UI only.

Problem: Users can bypass client validation by calling APIs directly.

Right:

  • Use Buzzy's required fields (enforced server-side automatically)

  • Use Formula fields for validation (executed server-side)

  • Buzzy validates at server level—you're already protected!

Mistake 5: Not Understanding Organization Boundaries

Wrong: Build a multi-tenant app without using Organizations.

Problem: Data from different customers mixed together, hard to segregate.

Right:

  • Use Buzzy's Organization object

  • Each customer gets their own Organization

  • Filter all data by Organization

  • Buzzy enforces Organization boundaries

Buzzy's Platform Security Features

What Buzzy Handles Automatically

Authentication & Sessions:

  • ✅ Password hashing (you never see plain text passwords)

  • ✅ Session management (secure, httpOnly cookies)

  • ✅ HTTPS encryption (automatically enabled)

  • ✅ CSRF protection (built into platform)

  • ✅ XSS prevention (Buzzy's rendering engine handles this)

Data Security:

  • ✅ SQL injection prevention (Buzzy uses MongoDB, no SQL)

  • ✅ Server-side validation (required fields enforced)

  • ✅ Encrypted data transmission (HTTPS everywhere)

  • ✅ Secure API endpoints (authentication required)

What this means for you: You don't write authentication code, session management, or worry about XSS/SQL injection. Buzzy's Core Engine handles these security fundamentals. Your job is to configure security correctly using Viewers fields, Teams, and Organizations.

Security Testing for Buzzy Apps

What to Test

Access control testing:

  1. Create test user accounts with different roles

  2. Try to access data that should be restricted:

    • Can User A see User B's personal data?

    • Can regular users see admin-only data?

    • Can users from Organization A see Organization B's data?

  3. Test with direct URLs and API calls (not just UI)

Example test scenarios:

Personal Data Pattern:

  • User A creates a document with viewers: [userA._id]

  • Log in as User B

  • Try to access User A's document URL directly

  • Expected: Access denied (Buzzy should block this)

Team Pattern:

  • Add User A to "Sales Team"

  • Create project with teamViewers: [salesTeam._id]

  • Log in as User B (not in Sales Team)

  • Try to access the project

  • Expected: Access denied

Organization Pattern:

  • Create two test Organizations

  • Add data to Organization A

  • Log in as user from Organization B

  • Try to access Organization A's data

  • Expected: Should see no data or access denied

Testing Buzzy Functions

Security testing for Functions:

Tools and Approaches

Manual testing:

  • Create multiple test user accounts

  • Use incognito/private browsing for different users

  • Test on different devices (web, iOS, Android)

  • Check browser network tab for data exposure

Buzzy platform monitoring:

  • Review Buzzy Function logs for errors

  • Monitor app usage patterns

  • Check for unusual access attempts

  • Review user feedback for security concerns

Privacy & Compliance for Buzzy Apps

Understanding Your Compliance Needs

Key factors:

  • Geographic location of your users

  • Type of data you collect

  • Industry regulations (healthcare, finance, etc.)

  • Age of users (children's privacy)

GDPR (European Union)

Applies if: You have users in the EU

Key requirements:

  • Consent: Clear opt-in for data collection

  • Access: Users can request their data

  • Deletion: Users can request data deletion ("right to be forgotten")

  • Portability: Users can export their data

  • Privacy by design: Security built-in from the start

  • Breach notification: Report breaches within 72 hours

Implementation in Buzzy:

Data access: Use Buzzy REST API with user authentication to export user data

  • When a user authenticates with their credentials (X-Auth-Token and X-User-Id), Buzzy's server automatically filters data based on Viewers fields

  • Calling POST /api/microappdata with the user's auth token returns only data they have access to

  • For GDPR-compliant data export, you can create a Buzzy Function that calls the REST API with the user's authentication to gather all their accessible data

Account deletion:

  • Build a "Delete My Account" feature in your app

  • Use Buzzy REST API to delete user's data across all Datatables

  • Remove user from all Viewers and Team Viewers fields

  • Delete user account via Buzzy's user management

  • See Buzzy REST API documentation for data deletion endpoints

Data portability:

  • Create a Buzzy Function that exports user data in standard format (JSON, CSV)

  • Use authenticated REST API calls to fetch data the user has access to

  • Users can download their complete data package

  • Include all Datatables where user has Viewers access

CCPA (California)

Applies if: You have California residents as users

Key requirements:

  • Disclosure: Tell users what data you collect

  • Knowledge: Users can request details about their data

  • Deletion: Users can request data deletion

  • Opt-out: If you sell data (most don't), users can opt out

  • Non-discrimination: Can't penalize users for exercising rights

Implementation in Buzzy:

  • Similar to GDPR implementation

  • Provide clear privacy policy

  • Build data export feature

  • Build account deletion feature

HIPAA (Healthcare - United States)

Applies if: You handle protected health information (PHI)

Key requirements:

  • Security Rule: Physical, administrative, technical safeguards

  • Privacy Rule: Control who accesses PHI

  • Breach Notification: Report breaches to affected individuals

  • Business Associate Agreements: Required for vendors

Buzzy considerations:

  • Use Viewers fields to strictly limit PHI access

  • Ensure only authorized healthcare providers can see patient data

  • Use Organizations for different healthcare facilities

  • Consider HIPAA-compliant hosting if needed

  • Consult HIPAA compliance experts

COPPA (Children's Privacy - United States)

Applies if: Your app targets children under 13

Key requirements:

  • Parental consent for data collection

  • Limited data collection (only necessary data)

  • No behavioral advertising to children

  • Enhanced security measures

Most apps: Add age verification, require users to be 13+

Implementation in Buzzy:

  • Add age field in user registration

  • Block registration if under 13 (or require parental consent)

  • Store minimal data for users under 13 if you allow them

Privacy Policy Requirements

Every Buzzy app must have a privacy policy if it collects user data.

Must include:

  1. What data you collect:

    • User account information (email, name, profile data)

    • Application data (what they create/store in your app)

    • Usage data (if you're tracking analytics)

    • Technical data (Buzzy collects some automatically)

  2. Why you collect it:

    • Provide the service

    • Improve the product

    • Communicate with users

    • Comply with legal obligations

  3. How you use it:

    • Store in Buzzy's secure infrastructure

    • Process for app functionality

    • Analyze for improvements (if applicable)

  4. Who you share it with:

    • Buzzy (the platform provider)

    • Any third-party integrations (via Buzzy Functions)

    • Whether you sell data (most don't)

  5. How long you keep it:

    • While account is active

    • Retention period after account deletion

    • Legal retention requirements

  6. User rights:

    • Access their data

    • Export their data

    • Delete their account

    • Correct inaccurate data

  7. Security measures:

    • Buzzy's platform security features

    • Your additional security measures

    • How you handle breaches

  8. Contact information:

    • How users can reach you about privacy

    • Data protection officer (if required)

Example privacy policy structure:

# Privacy Policy for [Your App Name]

## Data We Collect
We collect the following information:
- Account information: email, name, [other profile fields]
- Application data: [what your app stores]
- Usage information: [if tracking analytics]

## How We Use Your Data
Your data is used to:
- Provide and maintain the service
- Improve the application
- Communicate with you about the service

## Data Storage and Security
Your data is stored securely using Buzzy's cloud infrastructure, which includes:
- Encrypted data transmission (HTTPS)
- Access control and authentication
- Regular security updates
[Add any additional security measures you implement]

## Third-Party Services
We use the following third-party services:
- Buzzy (application platform)
- [List any services you integrate via Buzzy Functions]

## Your Rights
You have the right to:
- Access your personal data
- Export your data
- Delete your account and data
- Correct inaccurate information

To exercise these rights, contact us at [email]

## Contact Us
For privacy-related questions: [email]

Get legal review: Have a lawyer review your privacy policy, especially if you're in a regulated industry or have users in multiple regions. Privacy policy generators can provide a starting template but aren't substitutes for legal counsel.

Security Checklist for Buzzy Apps

Before deploying to production, verify:

Data Security Configuration

Viewers fields:

Team Viewers (if using teams):

Organizations (if multi-tenant app):

Buzzy Functions Security

If you're using Buzzy Functions:

User Experience Security

Display rules:

Actions and forms:

Privacy & Compliance

Legal requirements:

Data collection:

Deployment Security

Production configuration:

Monitoring and Response

Ongoing security:

Security Incident Response for Buzzy Apps

If You Discover a Security Issue

1. Assess the severity:

  • Is user data exposed?

  • How many users are affected?

  • Is the issue still ongoing?

2. Immediate containment:

  • If it's a Buzzy Functions issue: disable the Function temporarily

  • If it's a Viewers field misconfiguration: fix immediately

  • If it's an external service: revoke API keys in Buzzy Constants

  • Document what you found

3. Fix the root cause:

  • Correct Viewers field configuration

  • Update Buzzy Functions

  • Rotate compromised API keys in Constants

  • Test the fix thoroughly

4. Assess impact and notify:

  • Determine what data was accessed

  • Notify affected users if their data was exposed

  • File breach reports if legally required (e.g., GDPR: within 72 hours)

5. Prevent recurrence:

  • Document what happened

  • Update your security checklist

  • Review similar areas of your app

  • Share learnings with team

Getting Help

Buzzy platform issues:

  • Contact Buzzy support for platform security questions

  • Report suspected platform vulnerabilities

Your app's security:

  • Review Buzzy's security documentation

  • Consult security professionals for sensitive apps

  • Consider security audit for high-risk applications

Key Takeaways

Buzzy's security advantages:

  • ✅ Authentication handled automatically

  • ✅ Server-level security via Viewers fields (not client-side hiding)

  • ✅ Organizations and Teams for scalable access control

  • ✅ Platform security updates handled by Buzzy

  • ✅ HTTPS and encryption managed by Buzzy

Your responsibilities:

  • Configure Viewers and Team Viewers fields correctly

  • Use Buzzy Constants for sensitive data in Functions

  • Test access control with different user accounts

  • Comply with relevant privacy laws

  • Provide clear privacy policy

  • Monitor and respond to security issues

Critical principle: Security is configuration, not code. Buzzy provides the security features—you must configure them correctly for your app's needs.

Next Steps

Last updated