Burp AI trust and compliance FAQ

No. Our contracts with our providers prohibit them from monitoring your data or using it for model training. Your data passes through provider infrastructure during processing, but the provider does not retain it once the request is complete, and our contracts prohibit any secondary use.

No. Burp's AI providers do not store any of the data they process. Requests are handled in real time and immediately returned to Burp.

Burp AI only sends data when you actively use AI features in Burp. We do not automatically redact or mask the data sent to AI providers. Depending on the features you use and the traffic you're testing, this may include sensitive data.

As an exception, AI-generated recorded logins replace actual usernames and passwords with placeholders before they are sent to PortSwigger or the AI providers. This is the same behavior as manually-recorded logins.

For a full breakdown of what each feature sends, see Data handling.

PortSwigger stores your prompts, AI responses, and associated metadata to support troubleshooting, auditing, and billing. All stored data is encrypted using AES-256, and only authorized PortSwigger staff can access it. For full details on retention periods and access controls, see Data storage and retention.

PortSwigger reserves the right to use anonymized data to improve Burp AI features and diagnose issues.

When you use Burp AI, Burp sends task data to PortSwigger's AI infrastructure. This data is then sent to an AI provider, which processes it and returns a response. The provider does not retain your data once processing is complete. All communication between Burp, PortSwigger, and our AI providers is encrypted using TLS 1.2 or later.

For more information on how this process works and what is sent, see Data handling.

Yes. PortSwigger's Data Processing Agreement covers all personal data processed through Burp AI on your behalf.

Yes. Burp AI is covered by PortSwigger's ISO 27001 certification. For full details, see our Trust Center.

PortSwigger's AI infrastructure runs on AWS in the US-East and EU-West regions. Our AI providers process requests in US data centers.

Our AI infrastructure has protections against common attack types, including prompt injection and data exfiltration. Specific controls include server- and client-side input validation, rate limiting, and token-based authentication.

In this case, PortSwigger would respond according to its ISO 27001-aligned incident response process and its contractual obligations with the affected provider. AI usage is logged in an encrypted audit trail to support our investigations.

We operate failover systems to maintain availability if a provider experiences issues. If the primary provider for a given feature is unavailable, requests are automatically routed to a backup.

Yes. You can disable Burp AI at any time, at either a global or project level. To do so, go to Settings > Burp AI and select Disable AI features. When Burp AI is disabled, Burp cannot access PortSwigger's AI infrastructure and all AI-related features are grayed out in the UI.

No. Burp AI only runs when you use an AI feature. It does not send any data to PortSwigger or our AI providers in the background.

Yes. For multi-step processes such as Explore Issue or Repeater tasks, you can pause or stop execution at any time.

Yes. You can use Burp's scope settings to restrict Burp AI to specific hosts and URLs. For more information on setting scope, see Target scope.

Burp AI uses structured prompts to keep the AI focused on security testing, reducing the risk of hallucinations or unintended actions. There are also built-in limits on the number of steps the AI can take during a task.

Not currently. PortSwigger selects the model used for each task based on performance testing. For more information on how we select and manage models, see Data handling.

AI-powered extensions display a Use AI checkbox on the Extensions > Installed page. This checkbox is not shown for non-AI extensions.

Yes. By default, AI features are disabled for all extensions. To enable AI for a specific extension, go to Extensions > Installed, find the extension, and select the Use AI checkbox. You can enable or disable AI for an extension at any time.

PortSwigger does not collect data from AI-powered extensions by default. What data is processed depends entirely on the extension's implementation. We recommend reviewing the extension's code and documentation to understand what data is sent externally and how sensitive information is handled, particularly if you are working in regulated environments.

No. We review BApp Store extensions for quality and compatibility, but cannot guarantee their behavior. This depends on how the extension author has structured prompts, what data is sent, and how responses are used. If you are testing in regulated or legally sensitive environments, review the extension's functionality carefully and consider additional safeguards before acting on AI output.