Security

Boon serves enterprise organizations that entrust us with sensitive employee development data. We take that responsibility seriously. Security is built into every layer of our platform, from infrastructure to coaching session confidentiality.

This page describes the measures we take to protect your data. If you have questions or need additional documentation for your security review, contact us at security@boon-health.com.

Infrastructure

The Boon platform is hosted on enterprise-grade cloud infrastructure with built-in redundancy and high availability.

• Application hosting on Vercel's edge network with automatic failover and global CDN distribution
• Database and authentication services powered by Supabase, built on AWS infrastructure with automated backups
• All environments are isolated by role: production, staging, and development are fully separated
• Infrastructure is provisioned and managed through code, reducing manual configuration errors

Data Encryption

All data is encrypted both in transit and at rest.

• In transit: All connections are secured with TLS 1.2 or higher. HTTPS is enforced across all endpoints with HTTP Strict Transport Security (HSTS) enabled
• At rest: Database storage uses AES-256 encryption. Backups are encrypted using the same standard
• Secrets management: API keys, credentials, and sensitive configuration values are stored in encrypted environment variables, never in source code

Access Control

We enforce the principle of least privilege across all systems and data access layers.

• Multi-tenant isolation: Every database query is scoped by organization. Row-level security (RLS) policies enforce data isolation at the database layer, so one organization can never access another's data
• Authentication: User authentication is handled through secure, industry-standard protocols with session management and token expiry
• Role-based access: Platform access is segmented by role (employee, coach, administrator, program manager) with permissions enforced at both the application and database levels
• Internal access: Boon team access to production systems is restricted to authorized personnel and requires multi-factor authentication

Coaching Confidentiality

Confidentiality is fundamental to effective coaching. Our platform is designed to protect the privacy of coaching relationships.

• Boon does not access, record, or store the substantive content of coaching sessions unless explicitly agreed upon by all parties
• Employers receive only aggregated, de-identified data such as participation rates and program-level outcomes
• Individual survey responses are not shared with employers unless the participant explicitly opts in
• Coaches are bound by professional ethics codes and Boon's confidentiality agreements

For full details on what data is collected and how it is used, see our Privacy Policy.

Application Security

• Security headers enforced across all pages: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy
• Input validation and parameterized queries to prevent injection attacks
• Cross-site scripting (XSS) protections built into the application framework
• Clickjacking prevention via frame denial headers
• Third-party dependencies are monitored for known vulnerabilities and updated regularly

Data Handling and Retention

• Personal data is retained only as long as necessary to fulfill the purposes described in our Privacy Policy
• When a coaching program ends or an account is closed, data is deleted or anonymized within a reasonable timeframe, subject to legal and contractual obligations
• Automated database backups are performed daily and retained for disaster recovery purposes
• Data deletion requests are honored in accordance with applicable privacy laws

Incident Response

Boon maintains an incident response plan to address potential security events promptly and transparently.

• Defined procedures for identifying, containing, and resolving security incidents
• Affected customers will be notified of confirmed data breaches in accordance with applicable laws and within contractually agreed timeframes
• Post-incident reviews are conducted to identify root causes and implement preventive measures

Vendor and Third-Party Security

We carefully evaluate the security posture of third-party services integrated with our platform. Key service providers include:

• Supabase (database, authentication): SOC 2 Type II compliant
• Vercel (hosting, CDN): SOC 2 Type II compliant
• Stripe (payment processing): PCI DSS Level 1 certified
• Zoom (video conferencing): SOC 2 Type II, end-to-end encryption available

We require that all critical vendors maintain appropriate security certifications and notify us of material changes to their security practices.

Employee Security Practices

• All Boon team members complete security awareness training
• Access to production systems and customer data is granted on a need-to-know basis
• Multi-factor authentication is required for all internal tools and services
• Endpoint devices used for development and operations follow security baseline requirements

Enterprise Security Reviews

We understand that enterprise customers often require detailed security documentation as part of their procurement and compliance processes. Boon is happy to support your review by providing:

• Responses to security questionnaires and vendor assessment forms
• Architecture and data flow documentation
• Details on our security controls and practices

To request security documentation or schedule a review, contact security@boon-health.com.