Security Policy

Last updated: 2026-06-04

Draft — this policy is being finalized and will be updated before general availability.

Security is foundational to how Boogy is built. This page summarizes our approach and explains how to report a vulnerability.

Our approach

• Isolation by default — every service runs in a secure sandbox, and access to data is denied by default and granted only where explicitly permitted.
• Strong data boundaries — your data is private to your account and is reachable only through your own services and their authentication. It is never made public or visible to anyone else — privacy by design. Preventing any unauthorized access to it is a property we engineer for deliberately and verify through methodical, ongoing testing.
• Least privilege — each service runs with only the permissions it has been explicitly granted, and nothing more.

Data protection

Data is encrypted in transit and at rest. Secrets are encrypted with managed keys and are never exposed in our logs. Information used to operate and bill the platform is kept separate from the data your services hold.

Authentication

We support modern authentication, including scoped access tokens, API keys, and passkeys. Sensitive and administrative actions are access-controlled and recorded for security.

Reporting a vulnerability

If you believe you have found a security issue, please contact our security team. Include steps to reproduce, affected components, and any proof-of-concept. Please give us a reasonable opportunity to investigate and remediate before public disclosure. We will acknowledge your report and keep you informed of our progress.

Scope

Testing must not harm other users, degrade the platform, or access data that is not yours. Do not run denial-of-service tests or large-scale automated scans against the platform.

Contact

Security questions or reports: contact our security team.