Security

Last updated: May 9, 2026

BookyTails is built on infrastructure used by thousands of businesses with stricter compliance requirements than most groomers will ever face. This page explains the controls that protect your data and your customers' data.

1. Hosting and infrastructure

• Application: hosted on Vercel, which holds SOC 2 Type II and ISO 27001 certifications.
• Database, auth, file storage: Supabase (Postgres + Row Level Security + S3-compatible storage), which holds SOC 2 Type II certification.
• Geographic location: primary data centers in the United States. CDN edge nodes are global for performance.

2. Encryption

• In transit: all traffic to and from BookyTails uses TLS 1.2 or higher. SSL certificates are issued and rotated by Vercel automatically. We do not accept unencrypted HTTP requests.
• At rest: Postgres data and storage objects are encrypted at rest using AES-256 by Supabase.
• Passwords: account passwords are hashed using bcrypt by Supabase Auth. We never see them in plaintext.

3. Access controls

• Application-level: every server-side request is scoped to the authenticated groomer's ID. We use Postgres Row Level Security as a second line of defense, even a code bug can't leak another groomer's data.
• Production access: limited to the operator (Toan Bui). All admin access uses 2FA. There are no shared credentials.
• Vendor access: sub-processors (Stripe, Brevo, Anthropic) only see the minimum data necessary to do their job.

4. Payment data

Card numbers, CVCs, and bank details never touch BookyTails servers. All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified (the highest level). We only store a customer ID and a subscription ID returned by Stripe.

5. AI processing

AI features (intake quote estimation, receipt OCR) send the relevant data, photos, customer notes, receipt images, to Anthropic for processing. Anthropic's commercial terms state that data sent via the API is not used to train models and is only retained briefly for abuse monitoring before deletion. We do not log AI prompts or responses outside the audit fields needed to debug a specific intake.

6. SMS

Outbound SMS is sent via Brevo, which holds ISO 27001 certification. We pass them only the recipient phone number, message body, and our sender configuration.

7. Backups and disaster recovery

• Supabase performs automated daily backups of the database with a rolling 30-day retention window.
• Storage objects (intake photos, report-card photos, receipts) are replicated across multiple availability zones by Supabase.
• Configuration and application code are version-controlled in GitHub and re-deployable from any commit in seconds.

8. Logging and monitoring

Application logs (request paths, response codes, error stack traces) are retained for 30 days and reviewed for anomalies. We do not log request bodies that may contain personal information except where strictly necessary to debug a specific issue. SMS delivery logs are retained for 12 months for delivery troubleshooting and to defend against chargebacks.

9. Vulnerability management

• Dependencies are monitored for security advisories. Critical patches are deployed within 7 days of disclosure; high-severity within 30.
• Vercel's build platform automatically blocks deployments of known-vulnerable framework versions.
• Found a security issue? Report it confidentially to security@bookytails.com. We aim to acknowledge within 2 business days and won't pursue legal action against good-faith research that follows our reporting guidelines (don't exfiltrate data, don't test on accounts you don't own, don't cause service disruption).

10. Incident response

If we discover a security incident affecting your data, we will:

1. Contain the issue and preserve forensic data.
2. Investigate scope, root cause, and affected accounts.
3. Notify affected groomers without undue delay, and in any case within 72 hours of confirmation, where required by law.
4. Provide guidance on what action you should take with your own customers, if any.
5. Implement preventive measures and document lessons learned.

11. What we ask of you

• Use a strong, unique password for your BookyTails account. Use a password manager.
• Enable two-factor authentication on your email account (the recovery surface for your BookyTails password).
• Be cautious sharing your account credentials. Each Team member should have their own login.
• If you suspect unauthorized access, email security@bookytails.com immediately.

12. Compliance roadmap

BookyTails is operated by an early-stage business and does not yet hold its own SOC 2 or ISO 27001 certification. Our underlying infrastructure providers (Vercel, Supabase, Stripe, Anthropic, Brevo) do. As BookyTails scales, we'll pursue independent attestations appropriate to our customer base; we'll update this page when that happens.