PRODUCT
AI CHATBOT
SOLUTIONS
RESOURCES
With bike energy 
from Utrecht 
Ruby Foundry B.V. - KVK: 99995662 - BTW: NL869219789B01
We take the security and privacy of your data on Boei very seriously. We understand the importance of keeping your data private and strive to keep it this way.
Our engineers have experience working on highly reliable, scalable, and secure systems at global banks and insurance companies. We always have someone on call to address any issues or outages as fast as possible.
Boei invests significant resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined. Please also see our GDPR Data Processing Agreement.
Boei production services - application servers, primary database, and backups - are hosted on Hetzner Online GmbH infrastructure, with physical servers located in Hetzner's data centers in Nuremberg, Germany (EU/EEA). All Controller personal data processed by the Boei service is stored inside the EU/EEA.
Hetzner's data centers are ISO/IEC 27001 certified and operate with industry-standard physical access controls: 24/7 on-site staff, video surveillance, biometric and multi-factor access control, access logs, redundant power and cooling, and fire-suppression systems.
Static assets (such as product images served alongside the widget) are stored in the EU-West (Ireland) region of Amazon Web Services S3 via Amazon Web Services EMEA SARL. Public-facing traffic to boei.help, app.boei.help, and the chat widget is served through Cloudflare's global edge network, which provides DDoS protection, a Web Application Firewall, and TLS termination.
For the full and current list of sub-processors, including hosting, email, AI model providers, and analytics, see our Subprocessors page.
Boei uses industry-standard Transport Layer Security (“TLS”) to create a secure connection using 256-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the Boei servers. There is no non-TLS option for connecting to Boei. All connections are made securely over HTTPS.
Data drives on servers holding user data use full-disk, industry-standard AES encryption with a unique encryption key per server. Static assets such as uploaded images are stored in AWS S3 (EU-West, Ireland) with server-side encryption enabled, and are only accessible over HTTPS by authorized users.
We maintain separate and distinct production, staging, and development environments for Boei. To access production environments, authorized and trained members authenticate to the VPN using unique strong passwords and 2FA and then only access the production environment via ssh terminal connections using passphrase-protected personal RSA certificates.
For Authorized Personnel, any workstations running Windows or MacOS must be running current and active anti-virus software. Those members are also trained not to replicate non-public user data stored in Boei’s production environment onto their workstations or mobile devices.
Production environments are constantly monitored on performance, uptime, and several other metrics, with an alerting system that pages the on-call engineer when metrics exceed their thresholds. Live uptime for the Boei service is publicly available on our status page at updown.io/pper.
All changes to the Boei production system, be they code or system configuration changes, require review prior to deployment to the production environment. Automated unit tests are run against all production code prior to deployment. Production code is also subject to regularly conducted automated vulnerability scans. All changes to Boei’s code are tested in other environments prior to deployment to production. Patches to the Boei are deployed on a rolling basis, usually several times per week. Boei’s production servers are managed via a configuration system. We use source code management tools and repositories.
All production servers are running an LTS (Long Term Support) distribution of their operating system to ensure timely updates are available.
We use a fully automated process from private Git repositories to staging to production servers including database migrations.
When logging in directly to Boei using a username or email and password, Boei requires a minimum of 8 characters. Repeated failed login attempts trigger a 60-second lock before a user can retry. Passwords are stored in a hashed form (via OpenSSL using AES-256 encryption) and will never be sent via email—upon account creation and password reset, Boei will send a link to the email associated with the account that will enable the user to create a new password. Password complexity and session length requirements cannot be customized within the app.
User data entered on public pages or included in public profile information may be viewed or accessed by anyone. In addition, notwithstanding anything to the contrary, data may be collected, shared, retained, and used as described in Boei’s Privacy Policy.
User data may be shared by Boei with third-party service providers (a user's email address for an email delivery provider, for example) according to Boei’s Privacy Policy.
Data entered into Boei is backed up regularly. All backups are encrypted in transit and at rest and are stored on separate infrastructure inside the EU/EEA to ensure availability in the unlikely event that a restore is necessary.
Static assets uploaded through the widget or admin app are not part of the primary database backup schedule and instead rely on AWS S3's internal redundancy.
Because user data stored in Boei is on shared infrastructure, we cannot recover a subset of a single customer's information from backups. If a customer requires a complete record of its information, we suggest exporting data regularly from the admin app.
Boei's primary database is backed up daily and before any code change or database migration. In addition, a snapshot of the primary servers is taken at least once every 7 days.
All Boei database backups are stored on Hetzner Storage Box infrastructure (Nuremberg, Germany - EU/EEA), separate from the primary database servers, and retained for up to 90 days after creation.
Only authorized members of the Boei operations team have access to the backup locations, to monitor backup performance and, in the unlikely event that a restore is needed, to perform recovery.
Static asset storage (AWS S3, EU-West Ireland) relies on S3's internal redundancy, which Amazon reports at 99.999999999% (11 9's) object durability per year.
If you have any remaining questions or concerns about our security, don’t hesitate to contact us.