Do I need to eject from Expo?

No! BundleNudge works perfectly with Expo (bare workflow, dev clients, and CNG). You don't need to handle complex native linking manually.

How does this compare to CodePush?

CodePush is deprecated and will be shut down in March 2025. BundleNudge is a modern replacement with faster updates, better dashboarding, and predictable flat-rate pricing.

What happens if I push a broken update?

Our SDK monitors crash rates after updates. If crashes spike, we automatically roll back users to the previous stable version in under 60 seconds—no manual intervention required.

Does this violate App Store guidelines?

No. Apple explicitly allows over-the-air updates for interpreted code (JavaScript) as long as you don't significantly change the primary purpose of the app. This is outlined in App Store Review Guideline 3.3.2.

How is pricing calculated?

Simple: MAU (monthly active users that receive updates). No bandwidth charges, no per-seat pricing. $19.99/mo for up to 50K MAU on Pro. Free tier available for up to 5K MAU.

How long does migration take?

Most teams migrate in under 25 minutes. Our SDK is a drop-in replacement for CodePush, and we provide a step-by-step migration guide with code examples for common patterns.

Yes. All bundles are encrypted at rest and in transit using TLS. Every bundle is cryptographically signed with SHA-256, and the SDK verifies integrity before applying updates. We never have access to your source code.

Security

Name: BundleNudge
Author: BundleNudge

Last updated: February 2025

At BundleNudge, security is fundamental to everything we build. We understand that you're trusting us with your application code and your users' update experience. This page describes how we protect your data.

Infrastructure Security

Hosting and Network

Application Hosting: Our services run on Fly.io, providing isolated compute environments with automatic TLS termination
Data Storage: Application bundles and assets are stored on Cloudflare R2, benefiting from Cloudflare's enterprise-grade security
Edge Delivery: Updates are delivered through Cloudflare's global network with built-in DDoS protection
Network Isolation: Production systems are isolated from development and staging environments

Encryption

Data State	Encryption
In Transit	TLS 1.3 (minimum TLS 1.2)
At Rest	AES-256
Backups	AES-256 encrypted

All API communications use HTTPS. We do not support unencrypted HTTP connections.

Application Security

Authentication and Access Control

Password Security: Passwords are hashed using bcrypt with appropriate work factors
Two-Factor Authentication: Available for all accounts (TOTP-based)
API Keys: Cryptographically generated, scoped by permission level
Session Management: Secure session tokens with automatic expiration
Role-Based Access: Team members can have different permission levels

Secure Development

Code Review: All code changes require peer review before deployment
Dependency Scanning: Automated scanning for known vulnerabilities
Static Analysis: Code is analyzed for security issues before deployment
Secrets Management: Credentials are stored in secure vaults, never in code

API Security

Rate Limiting: Protection against brute force and denial of service
Input Validation: All inputs are validated and sanitized
Output Encoding: Protection against injection attacks
CORS Policies: Strict cross-origin resource sharing rules

Data Protection

Your Code and Assets

Your JavaScript bundles are stored encrypted at rest
Assets are served directly to your users without modification
We do not inspect, analyze, or use your code for any purpose other than delivery
Bundles can be signed for additional integrity verification

Access Controls

BundleNudge employees do not access customer data without explicit permission
Access to production systems is restricted and logged
Administrative access requires multi-factor authentication
All access is subject to the principle of least privilege

Data Retention

Data Type	Retention
Account data	Duration of account + 30 days
Bundles and assets	Duration of account + 30 days
Access logs	90 days
Audit logs	1 year

Operational Security

Monitoring and Detection

24/7 infrastructure monitoring
Automated alerting for anomalous activity
Security event logging and analysis
Regular log review and analysis

Incident Response

We maintain an incident response plan that includes:

Detection: Automated monitoring and manual review
Assessment: Severity classification and impact analysis
Containment: Immediate steps to limit damage
Notification: Customer notification within 72 hours of confirmed breach
Recovery: System restoration and verification
Review: Post-incident analysis and improvements

Business Continuity

Automated backups with geographic redundancy
Tested disaster recovery procedures
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour

Compliance

Certifications and Standards

GDPR Compliant: We comply with EU General Data Protection Regulation
SOC 2 Type II: [In progress / Planned]

Third-Party Security

Our infrastructure providers maintain their own certifications:

Provider	Certifications
Cloudflare	SOC 2 Type II, ISO 27001, PCI DSS
Fly.io	SOC 2 Type II
Stripe	PCI DSS Level 1, SOC 2

Responsible Disclosure

Bug Bounty Program

We welcome security researchers to help us improve our security. If you discover a vulnerability:

Email: security@bundlenudge.com
Include: Detailed description, steps to reproduce, potential impact
Do Not: Access customer data, disrupt services, or disclose publicly

Our Commitment

Acknowledge receipt within 24 hours
Provide an initial assessment within 72 hours
Keep you informed of our progress
Credit you in our security acknowledgments (if desired)
No legal action for good-faith research

Scope

In scope:

bundlenudge.com and subdomains
BundleNudge API
BundleNudge SDK/CLI

Out of scope:

Social engineering attacks
Physical security
Third-party services

Security Best Practices for Customers

Protect Your Account

Enable two-factor authentication
Use a strong, unique password
Review team member access regularly
Rotate API keys periodically

Secure Your Updates

Test updates in staging before production
Use staged rollouts for critical changes
Monitor update success rates
Enable automatic rollback for failures

SDK Integration

Keep the BundleNudge SDK updated
Validate update integrity in your app
Implement certificate pinning if required
Follow our SDK security guidelines

Questions?

For security questions or concerns, contact us at:

Email: security@bundlenudge.com

For general inquiries, use support@bundlenudge.com.

Security Review: Last security review: February 2025

Security

Last updated: February 2025

Infrastructure Security

Hosting and Network

Application Hosting: Our services run on Fly.io, providing isolated compute environments with automatic TLS termination
Data Storage: Application bundles and assets are stored on Cloudflare R2, benefiting from Cloudflare's enterprise-grade security
Edge Delivery: Updates are delivered through Cloudflare's global network with built-in DDoS protection
Network Isolation: Production systems are isolated from development and staging environments

Encryption

Data State	Encryption
In Transit	TLS 1.3 (minimum TLS 1.2)
At Rest	AES-256
Backups	AES-256 encrypted

All API communications use HTTPS. We do not support unencrypted HTTP connections.

Application Security

Authentication and Access Control

Password Security: Passwords are hashed using bcrypt with appropriate work factors
Two-Factor Authentication: Available for all accounts (TOTP-based)
API Keys: Cryptographically generated, scoped by permission level
Session Management: Secure session tokens with automatic expiration
Role-Based Access: Team members can have different permission levels

Secure Development

Code Review: All code changes require peer review before deployment
Dependency Scanning: Automated scanning for known vulnerabilities
Static Analysis: Code is analyzed for security issues before deployment
Secrets Management: Credentials are stored in secure vaults, never in code

API Security

Rate Limiting: Protection against brute force and denial of service
Input Validation: All inputs are validated and sanitized
Output Encoding: Protection against injection attacks
CORS Policies: Strict cross-origin resource sharing rules

Data Protection

Your Code and Assets

Your JavaScript bundles are stored encrypted at rest
Assets are served directly to your users without modification
We do not inspect, analyze, or use your code for any purpose other than delivery
Bundles can be signed for additional integrity verification

Access Controls

BundleNudge employees do not access customer data without explicit permission
Access to production systems is restricted and logged
Administrative access requires multi-factor authentication
All access is subject to the principle of least privilege

Data Retention

Data Type	Retention
Account data	Duration of account + 30 days
Bundles and assets	Duration of account + 30 days
Access logs	90 days
Audit logs	1 year

Operational Security

Monitoring and Detection

24/7 infrastructure monitoring
Automated alerting for anomalous activity
Security event logging and analysis
Regular log review and analysis

Incident Response

We maintain an incident response plan that includes:

Detection: Automated monitoring and manual review
Assessment: Severity classification and impact analysis
Containment: Immediate steps to limit damage
Notification: Customer notification within 72 hours of confirmed breach
Recovery: System restoration and verification
Review: Post-incident analysis and improvements

Business Continuity

Automated backups with geographic redundancy
Tested disaster recovery procedures
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour

Compliance

Certifications and Standards

GDPR Compliant: We comply with EU General Data Protection Regulation
SOC 2 Type II: [In progress / Planned]

Third-Party Security

Our infrastructure providers maintain their own certifications:

Provider	Certifications
Cloudflare	SOC 2 Type II, ISO 27001, PCI DSS
Fly.io	SOC 2 Type II
Stripe	PCI DSS Level 1, SOC 2

Responsible Disclosure

Bug Bounty Program

We welcome security researchers to help us improve our security. If you discover a vulnerability:

Email: security@bundlenudge.com
Include: Detailed description, steps to reproduce, potential impact
Do Not: Access customer data, disrupt services, or disclose publicly

Our Commitment

Acknowledge receipt within 24 hours
Provide an initial assessment within 72 hours
Keep you informed of our progress
Credit you in our security acknowledgments (if desired)
No legal action for good-faith research

Scope

In scope:

bundlenudge.com and subdomains
BundleNudge API
BundleNudge SDK/CLI

Out of scope:

Social engineering attacks
Physical security
Third-party services

Security Best Practices for Customers

Protect Your Account

Enable two-factor authentication
Use a strong, unique password
Review team member access regularly
Rotate API keys periodically

Secure Your Updates

Test updates in staging before production
Use staged rollouts for critical changes
Monitor update success rates
Enable automatic rollback for failures

SDK Integration

Keep the BundleNudge SDK updated
Validate update integrity in your app
Implement certificate pinning if required
Follow our SDK security guidelines

Questions?

For security questions or concerns, contact us at:

Email: security@bundlenudge.com

For general inquiries, use support@bundlenudge.com.

Security Review: Last security review: February 2025