Trust
Security at BOSmode
BOSmode operates real money-moving call centers. Customer trust is a core requirement, not a checkbox. Our posture is built around the principle of least privilege, defense in depth, and fail-closed defaults across every layer of the platform.
Encryption
All traffic between clients and the platform is encrypted in transit using TLS 1.2 or higher. Stored data — including database contents, call recordings, and backups — is encrypted at rest using AES-256.
Tenant isolation
Every workspace is isolated at the database row level using Supabase Row-Level Security policies. Reseller sub-tenants inherit the same enforcement boundary, so an agency’s clients can never see each other’s leads, calls, or configuration.
Access control
Role-based access control governs every action — owner, admin, manager, operator, and viewer roles map to specific capabilities. Platform-operator privileges are gated separately and audited. Authentication is managed through Supabase Auth with support for email magic links and OAuth providers.
Infrastructure
Application code runs on Vercel. Data and authentication run on Supabase. Voice infrastructure runs on hardened SIP trunks with carrier-side fraud detection. Secrets are stored in managed secret stores and never committed to source control.
Compliance roadmap
SOC 2 Type II is in progress. We follow the AICPA Trust Services Criteria as our internal control framework today and are actively building toward third-party attestation. GDPR and CCPA data-rights workflows are supported on request.
Reporting a vulnerability
Responsible disclosure is welcomed. Email hello@bosmode.app with details and a proof of concept. We acknowledge reports within two business days.