Security Addendum

This Security Addendum describes the baseline safeguards Boo uses to protect Customer Data. It is part of the Master Subscription Agreement and Terms of Service.

Security program

Boo maintains a security program designed to protect the confidentiality, integrity, and availability of Customer Data. The program includes policies, access controls, risk management, vendor management, secure development practices, incident response, and operational monitoring. Boo follows industry-standard practices and may pursue recognized third-party attestations, such as SOC 2, as the company matures. Boo will make any such attestations available under section 17 when they are completed.

Encryption

Boo encrypts Customer Data in transit using industry-standard transport encryption. Boo encrypts Customer Data at rest using cloud provider encryption, database encryption, storage encryption, or other industry-standard controls.

Key management

Boo uses managed key systems. Customer-managed or customer-supported key systems are available only where stated in an Order Form or applicable security documentation. Boo personnel are not given standing access to plaintext Customer Data as a routine operating practice. Support or engineering access, if needed, is limited, logged where technically feasible, and based on a business need. If customer-managed keys are made available, the applicable Order Form or security documentation will describe the feature and limitations.

Source-system access

Boo uses the tokens, API keys, service accounts, connected accounts, credentials, scopes, and permissions authorized by Customer. Boo does not bypass access controls in source systems. If a token or key lacks access, Boo lacks access.

Credential handling

Boo protects stored credentials using encryption, access controls, and secret management practices designed to prevent credentials from being stored in source code. Customer is responsible for rotating, revoking, limiting, and monitoring credentials in connected systems.

Tenant separation

Boo uses logical separation designed to prevent one customer from accessing another customer's Customer Data. Private workspace memory and Private Skills are customer-specific.

Access control

Boo uses least privilege, role-based access, authentication controls, administrative access restrictions, and multifactor authentication where applicable for systems that process Customer Data. Boo reviews access periodically.

Employee access

Boo limits employee access to Customer Data to personnel with a business need, such as support, security, reliability, or engineering. Administrative access to production systems that process Customer Data is logged where technically feasible and reviewed based on risk.

Logging and monitoring

Boo maintains logs for security, reliability, debugging, auditability, billing, and abuse prevention. Logs may include task metadata, user identifiers, workspace identifiers, timestamps, connector activity, model usage, errors, operational events, and limited Customer Data where necessary for security, reliability, debugging, auditability, billing, or abuse prevention.

AI provider safeguards

Boo requires model providers that process Customer Data to maintain confidentiality and security obligations and not use Customer Data to train their models unless Customer gives Explicit Approval, including through a Customer-Approved Provider Setting that is off by default.

Vulnerability management

Boo uses vulnerability detection, dependency review, patching, and remediation processes designed to reduce security risk. Critical issues are prioritized based on severity and exploitability.

Secure development

Boo uses development practices designed to reduce security defects, including code review, testing, secrets handling, dependency management, vulnerability remediation, environment separation where applicable, and production access controls.

Incident response

Boo maintains an incident response process to investigate, contain, remediate, and communicate security incidents. Boo will notify Customer of confirmed Customer Data breaches without undue delay and as described in the Data Processing Addendum.

Backups and recovery

Boo maintains backups and recovery systems where necessary for availability and resilience.

Customer responsibilities

Customer is responsible for configuring permissions, scopes, tokens, source-system access, user access, endpoint security, network security, internal policies, review processes, and lawful use of the Services.

No perfect security

No security program can guarantee absolute security. Boo's commitments are limited to the safeguards described in this Agreement and applicable law.

Security reviews

Boo may provide security documentation, audit reports, penetration test summaries, or questionnaire responses under confidentiality when available, commercially reasonable, and subject to reasonable security restrictions.