How Booked55 Approaches Security, Privacy, and Your Data

When you put your client relationships, deal details, and personal notes into a CRM, you are trusting that platform with information that could make or break your business. We don't take that lightly. This post is a plain-language look at how we approach security and privacy at Booked55 — what we do today, what we are working on, and where we stand on the things that matter.

Your Data Belongs to You

This is the simplest and most important point. The contacts, companies, events, pipelines, emails, and notes you put into Booked55 are yours. We do not sell your data. We do not share it across customer accounts. We do not use your CRM data to train AI models for other customers or third parties. Your data exists to serve you, and only you.

When you use AI features like email drafting or contact enrichment, the relevant data is processed solely to generate the result you asked for. That's it.

Privacy That Respects Geography

Privacy laws differ depending on where you and your contacts are located. We have built our Privacy Policy to address the requirements of multiple jurisdictions:

• GDPR (Europe): We document our legal bases for processing, support data subject rights (access, deletion, portability, correction), and follow data minimization principles. If you are an EEA user, you can exercise your rights by contacting us directly.
• CCPA (California): California residents can request to know what data we collect, ask for deletion, and opt out of data sales. Since we don't sell personal information, the opt-out is straightforward — there is nothing to opt out of.
• PIPEDA (Canada): We follow the principle of meaningful consent and only collect information for purposes a reasonable person would consider appropriate. Canadian users have full access and correction rights.

We are not claiming to have passed a formal audit for any of these frameworks. What we are saying is that we have designed our practices and policies to align with their requirements, and we continue to improve.

Security in Practice

Security is not a checkbox — it is a set of daily practices. Here is what we do:

• Encryption everywhere: All data in transit is encrypted with TLS. Data at rest is encrypted on our database and storage systems.
• No plaintext passwords: Passwords are hashed with strong, one-way algorithms. We never store or log plaintext passwords.
• OAuth for integrations: Gmail, Google Calendar, and MCP connections use OAuth 2.0 — we never ask for or store your third-party passwords.
• Organization isolation: Each organization's data is logically separated. Users in one org cannot see another org's data, even if they share the same Booked55 account across multiple organizations.
• Rate limiting and abuse prevention: API endpoints and authentication flows are rate-limited to prevent brute-force attacks.
• Role-based access: Admins control what users in their organization can access. Not everyone needs to see everything.

For the full details, visit our Security page.

MCP Server: AI Access with Guardrails

Our MCP server lets you connect Booked55 to AI clients like ChatGPT and Claude. That raises a fair question: how do you keep data safe when external AI tools are involved?

The MCP server uses the same authentication and access controls as the main platform. An external AI client can only access data that the authenticated user is authorized to see. Every request is validated with OAuth 2.0 and API key checks, rate-limited, and logged for audit. You control which tools are exposed and can revoke access at any time.

What We Are Honest About

We believe trust comes from honesty, not marketing. Here is where we stand:

• We do not currently hold SOC 2, ISO 27001, or similar formal certifications. We are working toward them and will announce when we achieve them.
• Multi-factor authentication (MFA) is on our roadmap but not yet available. We recommend using strong, unique passwords in the meantime.
• We have not yet undergone a formal third-party penetration test, but this is planned.
• Our infrastructure providers maintain their own certifications (SOC 2, ISO 27001), and we select providers with strong security track records.

We would rather tell you where we are than pretend we are somewhere we are not. As we grow, our security posture grows with us, and this page will be updated to reflect it.

If Something Goes Wrong

No system is perfect. If a security incident occurs, we follow a defined response process: identify, contain, remediate, and notify. If a breach affects your personal data, we will notify you and the relevant authorities in accordance with applicable law — including within 72 hours where required by GDPR.

If you discover a vulnerability, we welcome responsible disclosure at [email protected]. We will acknowledge your report within 48 hours.

The Bottom Line

We are a growing platform, and we are investing in security and privacy at every step. We don't sell your data, we don't use it for purposes you didn't ask for, and we are transparent about what we do and don't have in place. If you have specific security questions or need details for a vendor review, reach out — we are happy to talk.