Security Is Not AnAfterthought
Boottify is built with security at its core. Here's how we protect your applications, data, and infrastructure — and our roadmap to enterprise compliance.
TLS 1.3
All traffic encrypted
AES-256
Data at rest encryption
WAF
40+ security rules active
IPv6
Dual-stack networking
RBAC
5-tier access control
MFA
WebAuthn + TOTP
Security Practices
Enterprise-grade security measures protecting every layer of the platform.
Encryption at Rest & In Transit
- TLS 1.3 for all HTTPS traffic — HSTS enforced with 12-month max-age
- AES-256 encryption for databases and backups
- All secrets encrypted via Kubernetes Secrets with etcd encryption at rest
- API tokens hashed with bcrypt/argon2 — never stored in plaintext
Authentication & Access Control
- WebAuthn / FIDO2 passkey support — phishing-resistant MFA
- TOTP-based 2FA with single-use backup codes
- OAuth 2.0 with Google & GitHub — no password sharing
- Role-based access control (RBAC) with 5 hierarchical tiers
- 15-minute idle session timeout with 2-minute warning prompts
Network & Infrastructure Security
- K3s Kubernetes with Traefik ingress — zero-trust pod networking
- WAF with 40+ custom rules against SQLi, XSS, CSRF, path traversal
- DDoS protection via Hetzner DDoS mitigation + rate limiting at API layer
- All internal services on private overlay network (10.42.0.0/16)
- IPv6 dual-stack support for modern networking
Data Protection & Backups
- Automated daily database backups with 30-day retention
- Off-site backup replication to secondary Hetzner location
- Point-in-time recovery capability for databases
- S3-compatible object storage with versioning enabled
- GDPR-ready: data processing documentation & DPA available
Monitoring & Incident Response
- 24/7 automated health checks on all services and endpoints
- Real-time alerting via Discord for critical incidents
- Structured incident response plan with escalation matrix
- Post-incident reviews published within 72 hours
- 99.9% uptime SLA target for production workloads
Compliance & Auditing
- Comprehensive audit logging across all platform actions
- Immutable audit trails with tamper-evident storage
- Regular automated vulnerability scanning
- Dependency audit on every deployment (npm audit / pip audit)
- Annual third-party penetration testing (planned Q3 2026)
Infrastructure Security
How we secure the platform from the ground up.
Hetzner Bare Metal
Dedicated server in Hetzner's ISO 27001 certified data center in Nuremberg, Germany. No shared hardware, no noisy neighbors.
DDoS Protection
Hetzner's always-on DDoS mitigation at the network edge, plus application-layer rate limiting and WAF rules.
Backup Strategy
Daily automated backups with 30-day retention. Off-site replication to secondary Hetzner location. Point-in-time recovery tested monthly.
IPv6 Dual-Stack
Full IPv6 support on all public endpoints. Modern apps and regions with IPv6 requirements are fully supported.
Vulnerability Scanning
Automated dependency scanning on every build. Regular OWASP Top 10 checks. Container image scanning for known CVEs.
Incident Response
Documented IR plan with defined roles and escalation paths. Target: acknowledge within 1 hour, resolve critical within 4 hours.
SOC 2 Compliance Roadmap
We're pursuing SOC 2 certification to meet the requirements of enterprise customers. Here's our timeline.
Foundation
In Progress- Document all security policies and procedures
- Implement comprehensive audit logging
- Establish incident response playbooks
- Deploy automated vulnerability scanning
SOC 2 Type I
Planned- Engage CPA firm for SOC 2 readiness assessment
- Implement access review procedures
- Formalize change management process
- Complete vendor risk assessments
- SOC 2 Type I audit — point-in-time assessment
SOC 2 Type II
Planned- Monitoring period begins (3-6 months)
- Continuous control monitoring implementation
- Automated evidence collection
- SOC 2 Type II audit — sustained effectiveness
Enterprise Ready
Planned- ISO 27001 certification pursuit
- HIPAA compliance for healthcare workloads
- FedRAMP readiness for government customers
- Dedicated single-tenant infrastructure option
Report a Security Issue
Found a vulnerability? We want to hear from you. We take all reports seriously and aim to respond within 24 hours.