bolt.new
bolt.new by StackBlitz is an in-browser AI app builder that generates, runs, and deploys full-stack web apps from natural-language prompts using WebContainers and frontier coding models.
Independent assessment across data handling, compliance, security and transparency.
Overview
bolt.new (StackBlitz) is a browser-native vibe-coding tool that chat-generates React, Next.js, and full-stack apps, runs them in-browser via WebContainers, and deploys to Bolt Cloud or Netlify. It targets PMs, entrepreneurs, agencies, and hobbyist builders, emphasizing design-system integration (Material UI, shadcn, Chakra) and backend features like databases, auth, and custom domains. Enterprise risk is elevated because public reporting indicates no formal SOC 2, GDPR, or HIPAA certification for standard tiers; compliance features are described only for Enterprise. Prompts and project code are processed by third-party LLMs, and non-developers can push AI-generated code to production domains with minimal review. Treat generated code as a starting point requiring security review before any production or regulated-data use.
Risk factors
3- Generates code based on user prompts, potentially exposing sensitive data.
- Cloud-based with third-party data handling.
- Requires user data for app generation.
Recommendations
7- Restrict to non-production prototyping; block deployment of Bolt-generated code to production without security review
- Require Enterprise tier for any organizational use needing SSO, audit logs, or compliance attestation
- Ban PHI, PCI, and regulated personal data from bolt.new projects and Bolt Cloud databases
- Mandate code review of generated auth, RLS, and secrets handling before deploy
- Monitor egress for staff pushing to bolt.new custom domains
- Prefer competitors with documented SOC 2/ISO 27001 for regulated workloads
- Rotate any secrets pasted into Bolt prompts or environment
Data handling
- Storage
- Projects, databases, and hosted sites stored on StackBlitz/Bolt Cloud infrastructure; AI prompts transmitted to third-party frontier model providers.
- Retention
- StackBlitz privacy policy does not specify explicit retention timelines; contact vendor for contractual retention commitments.
- Training on inputs
- Training opt-out not documented in publicly available policy; vendor has not published an explicit no-training default.
More Code Assistants tools
See all →Adrenaline AI
AI debugger that explains and fixes code errors.
Aider
Open-source AI pair programming tool that works in your terminal.
Aixcoder
AI-powered code completion tool for enterprise development.
Amazon Q Developer
AI coding assistant by AWS for building on Amazon cloud.
Anima AI
AI design-to-code platform for converting Figma to React.
Applitools
AI-powered visual testing and monitoring platform.