Security & Trust
Yours stays yours.
Audited, encrypted, exportable.
How BookSlash protects the slugs, boards, and notes your team trusts to it.
Compliance
Compliance built in, transparency by default.
Where we’re audited we say so. Where we’re aligned we say so. Roadmap items, sub-processor list, DPA, and the latest pentest summary are available on request.
SOC 2 Type II
On our roadmap. Auditor selection is the next milestone; status updates available on request to security@bookslash.app.
GDPR-aligned
Full data export and account deletion from Settings → Account. Tamper-evident audit log of every state change. Sub-processors disclosed at /legal/subprocessors. DPA on request to security@bookslash.app.
CCPA-aligned
Honors Global Privacy Control — both the Sec-GPC HTTP header and the navigator.globalPrivacyControl JS API. Self-service access (export) and deletion. We never sell personal information.
PCI-DSS (SAQ-A)
Paddle is our Merchant of Record and operates the checkout — PAN and CVV never touch BookSlash servers or logs. We sit in the lowest-scope tier (SAQ-A) because Paddle owns the cardholder-data environment.
Need our DPA, pentest summary, or compliance roadmap?
We send these under NDA. Public sub-processor list is at /legal/subprocessors.
How we ship security
Eight controls protecting every byte.
Encryption everywhere it counts.
TLS 1.3 in transit, AES-256-GCM at rest. Customer-managed keys (BYOK) are on the Enterprise roadmap. Every byte of customer data is encrypted from the moment it leaves your browser until it lands on disk.
- In transitTLS 1.3 · HSTS · forward secrecy
- At restAES-256-GCM · provider-managed keys
- On the roadmapBYOK via AWS KMS / GCP KMS for Enterprise
Identity
SAML SSO across all major IdPs. SCIM provisioning. Just-in-time user creation.
Access controls
Role-based access (Owner, Admin, Billing Admin, Member, Guest). Per-board overrides. Guest share links.
Audit logs
90-day retention on Pro. 365 days on Enterprise with NDJSON export. Tamper-evident, transactional with the underlying mutation, SIEM-ready exports and signed webhooks.
Data residency
US region today. EU and UK regions on the Enterprise roadmap; reach out via security@bookslash.app if residency is a contract requirement.
Backups
Encrypted backups with point-in-time recovery via our managed Postgres provider.
Vulnerability management
Continuous SAST + dependency scanning in CI. Annual third-party penetration test.
Vendor risk
Sub-processors disclosed publicly. SOC 2 reports on file for every critical vendor.
Responsible disclosure
Found a security issue? Tell us.
Researchers acting in good faith get acknowledgement and fast triage. No gag clauses. Email security@bookslash.app with a proof of concept; we reply within one business day. See our security.txt for our disclosure policy.
Start with one team. Roll out when it sticks.
Your stack. Your shortcuts.
One keystroke for everyone.
2,400+ teams reach every important destination in their stack with a single keystroke. Save the first slug in 30 seconds.
Free for personal use · No credit card · 14-day team trial