BoatTech.Ai

Trust

Trust, by design.

BoatTech handles member data for real boat clubs. Here's where our security posture is, what's next, and what we'll commit to contractually.

Overview

Honesty over polish.

We are a young company. We treat security the way a serious platform is expected to — but we also tell you what's in progress, what's not yet signed, and what we will put on a contract.

Infrastructure

Where your data lives.

  • Hosted on Railway, running on Google Cloud Platform (us-east and us-central regions for redundancy).
  • Tenant isolation at the database level; per-customer keys for sensitive fields.
  • AES-256 encryption at rest across all databases and backups.
  • TLS 1.3 in transit; HSTS preload on all public surfaces.
  • Daily encrypted backups with 30-day retention; point-in-time recovery.
  • Secrets in a hardware-backed secret store; no credentials in code.

Access controls

Who can see what, and when.

  • Role-based access at the tenant, dock, and tool level.
  • SSO for Growth and Enterprise via Google Workspace.
  • SAML SSO on Enterprise for custom IdPs.
  • Admin 2FA required on all BoatTech-operated accounts.
  • Audit log for every sensitive action; exportable on request.
  • Least-privilege internal access with quarterly review.

Compliance

SOC 2 — in progress, not claimed.

SOC 2 Type I — in progress.Target Q3 2026. We're implementing the controls framework with Drata. Type II observation period begins thereafter. We will not claim a certification we do not have; the report will be available under NDA on completion.

HIPAA: not applicable. We do not process protected health information.

PCI-DSS: we do not store card data. Stripe tokenizes all payment information; our systems hold tokens and metadata only.

Privacy

CCPA and GDPR-aligned, DPA on request.

Our Data Processing Addendum is aligned with CCPA and GDPR obligations. A copy is available for legal review — see the DPA page or contact [email protected] to begin a review.

Data handling

Your data stays yours.

  • Customer data is never used to train foundation models.
  • No customer PII is logged in third-party provider dashboards.
  • Model inputs and outputs are retained only as long as operationally necessary.
  • 30-day deletion on termination; full data export on request.
  • Per-tenant encryption keys for sensitive fields.

SLA

99.9% target, status page reserved.

Our production target is 99.9% monthly uptime for customer-facing surfaces. An incident history page is reserved at status.boattech.ai and will go live publicly alongside a notable SLA-bearing deployment. Enterprise tier includes a contractual SLA with credit mechanics.

Responsible disclosure

Bug bounty.

We welcome coordinated disclosure. Report security issues to [email protected]. We commit to a 90-day disclosure window and to crediting researchers who report in good faith.

Subprocessors

A current list of subprocessors is maintained at /security/subprocessors. We notify Enterprise customers of changes in writing before they take effect.

Due-diligence questions? Send them.

Book a demoTalk to our team