Security & trust
Your team's data, protected by design
Bossy is built on the same security practices we'd demand as operators ourselves: isolation between businesses, encryption, and a clear record of who did what.
Tenant isolation by default
Every record is scoped to your organization and enforced at the database layer with row-level security, not just in the app. One business can never see another's data.
Encryption in transit and at rest
All traffic is served over HTTPS, and your data is encrypted at rest by our infrastructure providers.
We never store card numbers
Payments run through Stripe. Card details go straight to Stripe and never touch Bossy's servers.
Two-factor authentication
Admins and users can protect their accounts with TOTP-based two-factor authentication.
Audit logging
Sensitive administrative actions are recorded in an append-only audit log, so there's always a record of who changed what and when.
Built on trusted infrastructure
Bossy runs on Vercel and Supabase, with error monitoring and analytics from established providers, not homegrown plumbing.
Responsible disclosure
Found a security issue? We want to hear from you. Email our security team and we'll respond promptly.