Overview
Bonafide's subdomain hosting feature lets you serve live, automatically updated FAQ content on a web address your Brand controls — something like context.yourbrand.com. Instead of manually downloading and uploading FAQ files that quickly go out of date, Bonafide handles the hosting entirely on our infrastructure. Your content stays current without anyone on your team needing to maintain it.
This article walks through exactly what setup involves, how the system works under the hood, and what your IT security team needs to know to evaluate and approve it.
What Your IT Team Needs to Do
There are two DNS (DOMAIN NAME SYSTEM) record additions required from your side. That's the full extent of your IT team's involvement — no code deployments, no server configuration, no ongoing maintenance.
A DNS record is simply an entry in your domain's settings that tells the internet where to find something. Your IT team adds these the same way they would when pointing a domain to any third-party service, like a marketing platform or a CDN.
Step 1 — Verify domain ownership (SSL certificate)
Before any content goes live, AWS needs to confirm that your Brand owns the subdomain. Your IT team adds one DNS record that acts as a verification code. It doesn't route any traffic — it just proves ownership.
Once this record is in place, Bonafide's system automatically requests and provisions a free SSL certificate (the padlock you see in a browser's address bar) from Amazon's certificate authority. This certificate is issued specifically for your subdomain and is globally trusted by all major browsers. This step typically takes up to one hour.
Step 2 — Point the subdomain to Bonafide's delivery network
Once the SSL certificate has been issued, your IT team adds a second DNS record pointing your chosen subdomain (e.g. context.yourbrand.com) to Bonafide's content delivery system. From this moment, the subdomain is live and will update automatically whenever your FAQ content changes in Bonafide.
Summary of IT involvement:
|
Step |
What IT Does |
Time Required |
|---|---|---|
|
1 |
Add 1 DNS record (SSL verification) |
~5 minutes |
|
2 |
Add 1 DNS record (traffic routing) |
~5 minutes |
|
Ongoing |
Nothing |
— |
How the System Works
Once setup is complete, here's how content gets from Bonafide to your subdomain:
- Content lives in Bonafide's secure cloud storage (Amazon S3) — encrypted, private, and completely inaccessible from the public internet directly.
- Amazon CloudFront acts as the delivery layer — it's a global content delivery network (CDN) that serves your FAQ content over HTTPS to anyone visiting your subdomain. This is the same infrastructure used by Netflix, Airbnb, and major financial institutions.
- When your FAQ content is updated in Bonafide, the system automatically pushes the new content and refreshes the delivery layer. Your subdomain reflects the latest content without any action from your team.
- Your Brand's systems are never in the data path. Bonafide's infrastructure handles everything behind your subdomain.
Security Overview for IT Teams
This section is written specifically for IT security reviewers evaluating this integration.
Access & Permissions
Bonafide does not need — and does not request — any access to your Brand's systems, servers, or DNS management console. Your IT team adds two DNS records independently. Bonafide has no visibility into your DNS settings and no ability to make changes on your behalf.
Bonafide's system operates within AWS under a tightly scoped permissions policy that limits it to managing only the resources it creates for this feature: its own storage buckets, its own content delivery distributions, and SSL certificates. It cannot access AWS resources outside of its own scope.
Encryption in Transit
All traffic between end users and your subdomain is encrypted using HTTPS. HTTP requests are automatically redirected to HTTPS — there is no way to access content over an unencrypted connection. We enforce TLS 1.2 as the minimum protocol version, which meets current PCI-DSS and industry security standards.
Encryption at Rest
FAQ content is stored in Amazon S3 with AES-256 encryption at rest — the same standard used by banks and government agencies.
Storage Access Controls
The S3 storage bucket has all public access blocked at the infrastructure level. The only entity that can read content from the bucket is Bonafide's own CloudFront distribution, enforced through AWS Origin Access Control (OAC). This is a hard infrastructure policy — even someone with knowledge of the bucket name cannot access it directly from the internet.
Your Brand's Dedicated Infrastructure
Every Brand on Bonafide's platform gets its own dedicated CloudFront distribution and its own dedicated SSL certificate. You do not share infrastructure with any other Bonafide customer. This means:
- A configuration issue affecting another customer has zero impact on your subdomain
- Your SSL certificate lifecycle is managed independently
- Content cache updates for another customer do not affect your content
Security Headers
The following security headers are applied automatically to every response served from your subdomain:
|
Header |
Purpose |
|---|---|
|
HSTS |
Forces browsers to always use HTTPS, even if a user types HTTP manually |
|
X-Frame-Options: DENY |
Prevents your page from being embedded in an iframe (blocks clickjacking attacks) |
|
X-Content-Type-Options: nosniff |
Prevents browsers from misinterpreting file types (protects against certain injection attacks) |
Certificate Spoofing Protection
Because your SSL certificate is issued by Amazon's trusted certificate authority and tied specifically to your subdomain, any attempt by a third party to impersonate your subdomain with a fraudulent certificate will fail browser validation. The HSTS header further ensures browsers remember to enforce HTTPS, adding protection against SSL downgrade attacks.
What Happens If Something Goes Wrong
We believe in being upfront about failure scenarios so your team can plan accordingly.
Setup fails mid-way
The provisioning process includes automatic retries (up to three attempts) if any step encounters an error. If all retries fail, the status is clearly flagged for Bonafide's team to investigate. Setup does not leave broken infrastructure behind — if it fails, it fails cleanly and can be restarted without manual cleanup. Your subdomain simply won't go live until the issue is resolved.
CloudFront outage (Amazon infrastructure)
In the unlikely event of a global Amazon CloudFront outage, your subdomain would be temporarily unreachable. This would be an AWS-wide infrastructure event — the kind that affects a significant portion of the internet simultaneously. CloudFront has historically maintained 99.9%+ availability. The current version of this feature does not include automatic failover to a backup delivery network; this is on our roadmap. In this scenario, Bonafide would communicate status through our normal support channels.
Content update pipeline issue
If Bonafide's content update system encounters an error, your subdomain would remain live and accessible, but the content would temporarily reflect the last successfully published version rather than the most current one. Our team monitors the pipeline and is alerted to failures. Your Brand's visitors would continue to see valid FAQ content — just not the most recent edits until the issue is resolved.
Turning off the feature
If your Brand decides to stop using subdomain hosting, Bonafide deletes the CloudFront distribution, the SSL certificate, and all associated hosted content. Your IT team removes the two DNS records. There is no lingering infrastructure on either side.
Frequently Asked Questions
Does Bonafide have access to our DNS or domain settings?
No. Bonafide never accesses, manages, or has visibility into your DNS settings. Your IT team adds two records independently through your own DNS management console.
Does our IT team need to do anything after setup?
No. Once the two DNS records are in place and the subdomain is active, there is no ongoing maintenance required from your side. Content updates happen automatically.
Can we choose our own subdomain name?
Yes. You choose the subdomain during the setup process in Bonafide's platform (e.g. context.yourbrand.com, etc.). It must be a subdomain of a domain your Brand already owns.
Is the content publicly accessible (i.e. indexed by search engines)?
Yes — the FAQ content served on your subdomain is publicly accessible over the web by design, and can be indexed by search engines. The content itself is your FAQ data. The underlying storage infrastructure is private; public access is only possible through the subdomain.
What if our IT security team has a vendor security questionnaire?
We're happy to complete it. Please reach out to your Bonafide account representative and we'll respond to any standard security questionnaire or third-party vendor review your Brand requires.
Can we run a technical review call with Bonafide's engineering team?
Yes. If your IT security team would find it helpful to speak directly with Bonafide's technical team, we can arrange that. Contact your account representative to schedule.
Setup Checklist for IT
Use this checklist when implementing the subdomain setup:
- Confirm the subdomain you want to use (e.g. context.yourbrand.com)
- Bonafide enables subdomain hosting in the Orchestration platform — you'll receive the two DNS record values
- Add DNS Record 1: SSL verification CNAME (provided by Bonafide)
- Wait for SSL certificate issuance confirmation from Bonafide (up to 1 hour)
- Add DNS Record 2: Traffic routing CNAME pointing subdomain to Bonafide's CloudFront address (provided by Bonafide)
- Bonafide confirms subdomain is live and active
- Verify by visiting your subdomain in a browser — confirm the padlock/HTTPS is present
Step-by-Step Instructions in Bonafide Platform
You need Admin access to the Bonafide Platform for your Brand. Contact support@bonafide.ai to get access.
1. Initialize Orchestration
- Log in to Bonafide and click the Orchestration icon on the left sidebar.
- Select the Subdomain method.
- Enter your desired subdomain name (e.g., context, faq, or llm).
- Select your desired content formats (FAQ HTML, Sitemap, LLM.txt, etc.).
2. Phase 1: DNS Validation (Verification)
TIP: We recommend the subdomain to be CONTEXT.[YOUR BRAND DOMAIN].COM
Before Bonafide can host content on your domain, it must verify ownership.
Click Configure.
The system will generate a validation CNAME Name and Value.
DNS Update: Log in to your DNS provider and add this CNAME record.
You have 1 HOUR to complete the DNS Update or the verification process will expire.
Godaddy Example Only:
Return to Bonafide and click Next.
Select "Yes, I have updated it" to trigger the DNS Validation Check.
3. Phase 2: Content Pointing (Activation)
Once validation is successful, you must point the subdomain to the actual hosting infrastructure.
The Bonafide UI will refresh and provide a new CNAME Value (this will be a CloudFront URL).
DNS Update: Go back to your DNS provider. Find the CNAME record you created in the previous step and update the Value/Target to the new CloudFront URL provided.
Note: Do not use an IP address; the target must be a hostname.
Return to Bonafide and click Next.
Select "Yes, I have updated it" to begin the final Activation.
NOTE: This may take some time to activate
4. Final Verification
- The system will verify the new routing.
- Once complete, a green checkmark will appear next to your subdomain URL.
- The link is now active and will resolve to your Bonafide-hosted FAQ content. (test by clicking the url)
Ongoing Management
Editing Content
To change served formats (e.g., removing Markdown files):
- Click the Edit icon next to the subdomain entry.
- Adjust checkboxes and click Save Changes. Changes are dynamic and appear near-instantly.
Disabling the Subdomain
- Click Disable in the Bonafide platform.
- CRITICAL: You must also delete the CNAME record from your DNS provider. If you do not delete the record, the subdomain will appear as a broken link because the backend infrastructure has been de-provisioned.
Technical Notes
- Conflicts: A CNAME record cannot coexist with an A or TXT record for the same name (e.g., "context").
- TTL: Setting your DNS record's Time to Live (TTL) to 3600 (1 hour) is recommended.
- Root Domains: CNAME records are for subdomains only; do not use them for your root domain (e.g., use context.brand.com, not brand.com).
FAQ once the Subdomain is Established:
What percentage of my brand's content is currently included in Bonafide's content collection or knowledge graph? Within the context layer/knowledge graph, Bonafide incorporates all that your brand has to offer and makes that available for orchestrations. This does not mean that we are orchestrating all of your brand's content. Instead, we focus on orchestrating the most important information. This is a function of our Q&A pairs.
Is there a way to see which of my brand's URLs are currently included in Bonafide's content collection and which are not? BonafideBot, our context crawler, crawls all pages linked in the sitemap and any pages linked to it, excluding anything that is explicitly excluded. We also do not collect past events. Further, the location where we found the Official Response from the 'System of Record' is noted as a URL in the "Official Links" cell.
Is Bonafide generating answers solely from the content represented at my brand's context endpoint, or does it also continuously crawl and utilize the broader brand site? We do not generate answers from your brand's context endpoint — this is the distribution endpoint for LLM crawlers. We regularly (but not "continuously") crawl your brand's site. We can crawl it more frequently if needed.
How frequently is content refreshed? Currently, we are running our Crawl quarterly. We are examining what the ideal frequency is as it relates to information changes.
Are there any updates on custom queries and reporting features? These are in final review and should be released soon. Full disclosure: the functionality is working — we are discussing improvements to certain behaviors and are internally debating what to address before the initial release versus what to ship as individual patches afterward.