Booked55Booked55

Security at Booked55

How we protect your data, your clients' data, and your business.

Your CRM holds some of the most sensitive information in your business — client relationships, deal details, personal notes, and communication history. We take that responsibility seriously. This page describes the security practices we follow to protect your data.

Data Encryption

All data transmitted between your browser (or mobile app) and our servers is encrypted using TLS (Transport Layer Security). This applies to the web application, API, and MCP server connections. Data at rest is encrypted using industry-standard encryption algorithms on our database and storage systems.

Authentication & Access Control

  • Passwords are hashed using strong, one-way hashing algorithms. We never store plaintext passwords.
  • OAuth 2.0 is used for third-party integrations (Gmail, Google Calendar) and our MCP server, ensuring credentials are never directly shared.
  • API keys are generated per-organization and can be revoked at any time from the settings panel.
  • Role-based access control limits what each user can see and do within an organization.

Infrastructure

Our platform is hosted on infrastructure providers that maintain their own rigorous security programs, including physical security, network isolation, and redundancy. We select providers that publish their own compliance certifications (such as SOC 2 and ISO 27001 at the infrastructure level).

We use environment-level isolation to ensure that production data is separated from development and testing environments.

Application Security

  • Input validation and parameterized queries to protect against injection attacks
  • Rate limiting on API and authentication endpoints to prevent brute-force and abuse
  • CORS (Cross-Origin Resource Sharing) policies to restrict unauthorized domain access
  • Error monitoring and logging via Sentry to quickly identify and respond to issues
  • Regular dependency updates to address known vulnerabilities in third-party libraries

Data Isolation

Each organization's data is logically isolated within our systems. Users in one organization cannot access another organization's data. When users belong to multiple organizations, they must explicitly switch between them, and each session is scoped to a single organization.

AI & MCP Security

Our MCP (Model Context Protocol) server implements OAuth 2.0 authentication, API key validation, rate limiting, and audit logging. Tools exposed through the MCP server respect the same access controls as the main application — an external AI client cannot access data beyond what the authenticated user is authorized to see.

AI features process your data solely to fulfill your requests. Your CRM data is not used to train models for other customers or made available to third parties.

Incident Response

In the event of a security incident, we follow a defined response process: identify, contain, remediate, and notify. If a breach affects your personal data, we will notify affected users and relevant authorities as required by applicable law (including GDPR's 72-hour notification requirement where applicable).

What We Are Working On

Security is an ongoing effort, not a destination. We are continuously improving our practices. Areas we are actively investing in include:

  • Multi-factor authentication (MFA) for user accounts
  • Expanded audit logging for administrative actions
  • Formal penetration testing by third-party security firms
  • Working toward industry compliance certifications

We believe in being transparent about where we are and where we are headed. We do not claim certifications we have not earned, and we will update this page as we achieve new milestones.

Responsible Disclosure

If you discover a security vulnerability in our platform, we appreciate your help in disclosing it responsibly. Please contact us at [email protected] with details of the vulnerability. We will acknowledge receipt within 48 hours and work with you to understand and address the issue.

Questions?

If you have questions about our security practices or would like more details for a security review, contact us at [email protected] or through our Contact page.