Security at Boo

Boo is built to handle sensitive business data. We maintain a security program designed to protect the confidentiality, integrity, and availability of Customer Data. This page summarizes our key security practices. The full details are in the Security Addendum.

Security program

Our security program covers policies, access controls, risk management, vendor management, secure development practices, incident response, and operational monitoring. We follow industry-standard practices and are pursuing recognized third-party attestations such as SOC 2 as the company matures.

Encryption

All Customer Data is encrypted in transit using industry-standard transport encryption. Customer Data at rest is encrypted using cloud provider encryption, database encryption, storage encryption, or equivalent controls. Credentials stored by Boo are protected using encryption and secret management practices designed to prevent them from appearing in source code.

Access controls

We use least privilege, role-based access, authentication controls, and multifactor authentication where applicable for systems that process Customer Data. Access is reviewed periodically. Employee access to Customer Data is limited to personnel with a specific business need (such as support, security, reliability, or engineering) and is logged where technically feasible.

Boo accesses your connected systems only through the tokens, API keys, service accounts, and permissions you authorize. If a credential does not have access to something in your source system, Boo does not have access to it either. Boo does not bypass source-system access controls.

Tenant separation

We use logical separation designed to prevent one customer from accessing another customer's data. Private workspace memory and Private Skills are customer-specific and not shared across workspaces.

Vulnerability management

We run vulnerability detection, dependency review, patching, and remediation processes to reduce security risk. Critical issues are prioritized based on severity and exploitability. Our development practices include code review, testing, secrets handling, dependency management, and production access controls.

Incident response

We maintain an incident response process to investigate, contain, remediate, and communicate security incidents. If we confirm a breach of security affecting your Customer Data, we will notify you without undue delay and provide information to help you meet any applicable legal obligations. Full details are in the Data Processing Addendum.

AI provider safeguards

When Boo sends Customer Data to third-party model providers for inference, we require those providers to maintain confidentiality and security obligations and not use Customer Data to train their models without explicit customer approval. The default for every model provider is no training on Customer Data. Details on our providers are in the Subprocessor and Model Provider Policy.

Logging and monitoring

We maintain logs for security, reliability, auditability, billing, and abuse prevention. Logs may include task metadata, workspace identifiers, timestamps, connector activity, model usage, errors, and operational events. Customer Data is included in logs only where necessary for security, reliability, billing, or abuse prevention.

Backups and recovery

We maintain backups and recovery systems where necessary for availability and resilience.

Your responsibilities

Security is a shared effort. You are responsible for configuring permissions, scopes, and tokens for connected systems; managing user access; protecting endpoint and network security; and following your own internal policies. You should grant Boo only the access you intend it to have, and review Boo's work before any significant, irreversible, or externally visible action.

Security documentation and reviews

We can provide security documentation, audit reports, penetration test summaries, or questionnaire responses under confidentiality when available and commercially reasonable. Contact legal@boolab.ai to request security documentation.