Security Practices

Protecting your business data is fundamental to everything we build. Here's how we secure the BookOfBusiness.ai platform.

How We Protect Your Data

Multi-layered security built into every part of the platform

Data Encryption

Industry-standard encryption for data in transit and at rest

TLS 1.3 for all data in transit (Vercel-enforced)
AES-256-GCM encryption for sensitive credentials
PostgreSQL encryption at rest (Supabase infrastructure)
Random IV and authentication tags for each encryption operation

Authentication & Access Control

Enterprise authentication powered by Clerk (SOC 2 Type II certified)

Clerk-managed authentication with MFA support
Organization-based multi-tenancy
Role-based access control (OWNER, TEAM)
JWT sessions with automatic refresh

Tenant Isolation

Every customer's data is logically separated at the database level

Automatic tenant ID injection on all database queries
Middleware-enforced route protection
CORS origin validation
Per-tenant API key scoping for public endpoints

Input Validation

All inputs validated before processing to prevent injection attacks

Zod schema validation on all API inputs
Parameterized database queries via Prisma ORM (no raw SQL)
React auto-escaping for XSS prevention
Rate limiting on all public and AI-heavy endpoints

Rate Limiting & Abuse Prevention

All endpoints are rate-limited to protect against abuse and ensure fair usage

Public API

100 req/min

AI Chat

30 req/min

Web Forms

5 req/min

Webhooks

50 req/min

Compliance Roadmap

We are actively working toward formal compliance certifications

ISO 27001

International security management standard

In Progress

GDPR

European data protection regulation

In Progress

APPI

Japan data protection law

In Progress

CBPR

APEC cross-border privacy rules

Planned

Incident Response

In the event of a security incident, we follow a structured response process to minimize impact and maintain transparency.

Detection & triage within 1 hour

Impact assessment & containment

DPA notification within 72 hours (GDPR Art. 33)

User notification without undue delay

Root cause analysis

Remediation & prevention report

Report a Security Issue

If you discover a security vulnerability, please report it responsibly.

security@bookofbusiness.ai

Data Protection Principles

Data Minimization

We collect only the data necessary to provide our services. Personal data sent to AI providers is redacted where possible.

Purpose Limitation

Your data is used solely for the purposes you've authorized and nothing else.

Transparency

Our Privacy Policy documents what data we collect, how we use it, and how long we retain it.

Your Rights

Right to access your data

Right to rectification

Right to data deletion

Right to data portability

Right to opt-out

To exercise these rights, contact privacy@bookofbusiness.ai

Questions About Security?

Our team is here to answer any questions about our data protection measures.