Buildloop

Data Security Statement

Last updated: 20 June 2026

Buildloop is a New Zealand-based AI software studio that builds custom, AI-powered software for New Zealand small and medium businesses. We take the security of your data seriously, both on our website and when we work inside your business systems. This statement explains the reasonable, industry-standard measures we use, what we cannot guarantee, and what you are responsible for. It works alongside our Privacy Policy and Services Agreement.

1. Our approach to security

In short: We aim for reasonable, industry-standard protection appropriate to the data involved.

We design and operate our website and the software we build with security in mind, applying reasonable, industry-standard practices that are appropriate to the sensitivity of the data involved.

Security is built into how we work, from development through to delivery and any agreed support, and we keep our practices under review as tools and threats change.

2. Technical measures we use

In short: We use encryption, access controls, reputable providers and careful handling of secrets.

Depending on the project and what is appropriate, the technical measures we apply include the following.

  • Encryption of data in transit, and encryption at rest where appropriate.
  • Access controls and authentication to limit who can reach systems and data.
  • Use of reputable infrastructure, hosting and service providers.
  • Keeping secrets, credentials and API keys out of source code and managing them securely.
  • Applying updates and following secure development practices using our TypeScript, React, Node and Postgres stack.

3. Access to your systems: least privilege

In short: When we access your systems, we use the least access needed for the job.

Some projects require access to your systems, such as Xero, job-management tools or customer records, to build and connect the software you have asked for.

Where we need access, we seek the least privilege necessary to do the work, for only as long as needed, and we handle any credentials you provide securely. We ask that access be scoped narrowly and revoked when it is no longer required.

4. Third-party and offshore services

In short: We rely on reputable third parties, some offshore, whose own security we do not control.

Our software typically integrates with third-party services we do not control, including AI providers (such as Anthropic and OpenAI), hosting, New Zealand open-banking, and messaging providers (such as Twilio and Modica). Some processing and hosting, including AI processing, occurs offshore.

We choose reputable providers and take reasonable steps to use them securely, but we rely on their own security measures and cannot guarantee them. Their handling of data is also covered in our Privacy Policy.

5. No system is completely secure

In short: We cannot promise absolute security, and our liability for security events is limited.

No website, software or system can be made completely secure. While we take reasonable steps to protect data, we do not warrant or guarantee that data will always be secure or free from unauthorised access, loss or compromise.

To the maximum extent permitted by law, our liability for security incidents or data loss arising from events outside our reasonable control, or from third-party services, is limited, consistent with the limitations and exclusions in our Services Agreement. Nothing here excludes liability that cannot lawfully be excluded.

6. Your responsibilities

In short: Keeping your own credentials, backups and systems secure is your responsibility.

Security is a shared responsibility. You are responsible for the matters below.

  • Keeping your own credentials, accounts and devices secure, and managing who in your organisation has access.
  • Maintaining your own backups of your data and systems.
  • The security and maintenance of your own systems, networks and third-party accounts.
  • Promptly telling us if you suspect a security issue involving systems we have worked on.

7. Responsibility for your customers' data

In short: For your customers' personal information, you are the controlling agency and we process on your behalf.

Where the software we build processes personal information about your own customers or contacts, you are the agency that controls that information under the Privacy Act 2020, and Buildloop processes it on your behalf and on your instructions.

This means you remain responsible for your own security and privacy obligations to your customers, while we apply the measures described here to the parts of the system we build and operate for you.

8. Responding to security incidents

In short: If a serious issue occurs, we act reasonably and support any required notifications.

If we become aware of a security incident affecting data in systems we operate or have built, we will take reasonable steps to investigate and contain it and, where appropriate, work with you on a response.

Where a notifiable privacy breach under the Privacy Act 2020 may have occurred, we will cooperate with you so the appropriate notifications can be made. As the controlling agency for your customer data, you are generally responsible for any required notifications relating to that data.

9. Questions

In short: Contact us with any security questions or concerns.

If you have any questions about this statement or a security concern, please contact Buildloop, BuildLoop NZ Limited, at info@buildloop.co.nz.