Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Professional

AI security, privacy and data handling

  • Last updated: February 13, 2025

  • Read time: 3 Minutes

AI features in Burp Suite extensions are disabled by default, giving you complete control over whether an extension can access AI. This page explains how we protect your data and ensure AI-powered interactions remain secure.

Data security & access

How is my data secured, and who can access it?

All AI-related data is handled in accordance with PortSwigger's Security & Compliance framework, which includes:

  • ISO 27001 certification - Rigorous information security management.

  • SOC 2 compliance - Industry best practices for data protection and operational security.

  • Robust encryption - Data is encrypted in transit and at rest using industry-standard cryptographic methods.

  • Access controls - AI request and response data is stored in a restricted audit trail, accessible only by authorized PortSwigger personnel for security and compliance purposes.

Is my data used to train AI models?

No. Data processed through Burp's AI-powered extensions is not used to train AI models.

Does PortSwigger store or retain my data?

AI request data is processed securely and stored as part of an encrypted audit trail. No unauthorized personnel can access stored data.

AI providers do not store any of the data they process. Requests are handled in real time and immediately returned.

Can I review or delete AI data processed by Burp?

Currently, this option is not available. However, all stored data is encrypted and access-controlled to ensure security. We continuously review our policies to align with user needs.

More information

For full details on our security policies, compliance certifications, and how we protect customer data, see the PortSwigger Trust Center.

AI features & configuration

Can I disable AI features for an extension?

Yes. AI features are disabled by default for all extensions.

To disable AI for an extension:

  1. Go to Extensions > Installed.

  2. Uncheck Use AI for the relevant extension.

Which AI provider or model is used in Burp?

Currently, we use GPT-4o provided by OpenAI. We are actively testing our service with this model and may explore additional options in the future.

Can I choose a specific AI provider or model to use?

Currently, this option is unavailable.

Can AI output be configured to align with company or client-specific compliance needs?

Currently, this option is unavailable.

AI data processing

What data does PortSwigger collect when I use an AI-powered extension?

PortSwigger does not collect data from AI-powered extensions by default. Any data processed depends entirely on the extension's implementation.

We recommend reviewing the extension's code and documentation to understand:

  • What data is sent externally (for example, full HTTP requests, specific payloads, or extracted content).

  • How the extension handles sensitive information (for example, whether it masks or filters data).

If you are working with sensitive data, make sure that any extension aligns with your security and compliance requirements before use.

How is my data processed when I use AI-powered extensions?

Extensions use a secure process to communicate with AI services:

  1. The extension determines what data is needed for the request and securely transmits it to PortSwigger's AI platform.

  2. PortSwigger's AI platform makes a request to a trusted AI provider. The data remains within our trust boundary and is not stored by the provider.

  3. The AI provider processes the request and returns a response to PortSwigger's AI platform, where it is securely stored in an encrypted audit trail.

  4. The response is passed back to Burp for the extension to use.

Does PortSwigger guarantee the behavior of AI-powered extensions?

We review extensions in the BApp Store to ensure they meet our quality and compatibility standards, but we cannot guarantee their behavior.

The decisions made by an AI model depend on how the extension author has implemented it, including:

  • What data is sent.

  • How prompts are structured.

  • How responses are used.

We strongly recommend that you review the extension's functionality to understand the data it processes and make sure that it aligns with your security and compliance requirements.

If you are testing in regulated or legally sensitive environments, consider additional safeguards to verify the AI's output before acting.

More information

Was this article helpful?