This document describes the administrative, technical, and physical safeguards FohBoh.ai applies to protect Customer business data (e.g., POS, financial, operational data) and account information. These controls apply to all FohBoh platform components: MGE™, Sentry™, and Cortex™. FohBoh operates as a read-only platform wherever possible and does not modify source system data. We are not a system of record.
01Scope & Purpose
This document describes the administrative, technical, and physical safeguards FohBoh.ai applies to protect Customer business data (e.g., POS, financial, operational data) and account information. These controls apply to all FohBoh platform components: MGE™, Sentry™, and Cortex™.
FohBoh operates as a read-only platform wherever possible and does not modify source system data. We are not a system of record.
02Data Classification
We classify all Customer data as Confidential and apply the highest level of protection, including encryption, access controls, and audit logging.
- Customer Business Data — POS transactions, labor, financials, inventory, menu data.
- Account Data — names, email addresses, company names, hashed passwords.
- System & Usage Data — logs, API calls, feature interactions (anonymized where feasible).
03Encryption
| State | Standard |
|---|---|
| At rest | AES-256 encryption for all databases, backups, and file storage. |
| In transit | TLS 1.2+ (TLS 1.3 preferred) for all data transmitted between Customer systems and FohBoh, as well as internal service communication. |
| Backups | Encrypted at rest with AES-256; stored in a separate logical environment. |
04Access Controls
- Least privilege — Employees and contractors are granted only the minimum access necessary to perform their job functions (e.g., support, engineering, security).
- Multi-factor authentication (MFA) — Required for all access to production systems and administrative interfaces.
- Role-based access control (RBAC) — Customer data is segregated by tenant. No employee can access Customer data without a documented business reason and supervisory approval.
- Just-in-time access — Elevated privileges are granted temporarily (e.g., for incident response) and automatically revoked.
- Revocation — Access is terminated immediately upon role change or departure.
05Network Security
- Firewalls & segmentation — Production environments are isolated from development and corporate networks.
- API security — All API endpoints require authentication (API keys or OAuth2). Rate limiting and request validation are enforced.
- DDoS protection — Industry-standard edge protection (e.g., AWS Shield or Cloudflare) is deployed.
- No direct database exposure — Databases are not publicly accessible; only application servers can connect.
06Audit Logging & Monitoring
The following events are logged, retained for at least 12 months, and monitored for anomalies:
- Successful and failed login attempts
- Access to Customer data (read, export, or delete)
- Changes to access permissions
- Administrative actions
- API authentication failures
07Vendor & Subprocessor Security
All subprocessors (cloud providers, AI model providers, etc.) are contractually required to maintain security standards at least as stringent as those described here. FohBoh conducts periodic reviews of each subprocessor's SOC 2, ISO 27001, or equivalent attestation.
A current list of subprocessors is available at fohboh.ai/subprocessors or upon request to security@fohboh.ai.
08Incident Response
FohBoh maintains a written Incident Response Plan that includes:
- Identification and containment of security incidents
- Eradication and recovery procedures
- Internal and external notification timelines
- Post-incident review and remediation
09Business Continuity & Disaster Recovery
| Metric | Target |
|---|---|
| Recovery Time Objective (RTO) | 4 hours |
| Recovery Point Objective (RPO) | 15 minutes |
- Continuous incremental backups; full backups weekly.
- Backups are stored in a separate geographic region (US-East and US-West).
- Disaster recovery testing is performed at least annually.
10Employee Security Training
- All employees complete annual security awareness training, including phishing simulations.
- Engineers receive additional secure coding training (OWASP Top 10).
- Background checks are performed on all employees before hire, consistent with applicable law.
11Vulnerability Management & Penetration Testing
- Automated vulnerability scanning is performed weekly on all production systems.
- Critical patches are applied within 72 hours; high-severity within 7 days.
- Independent third-party penetration testing is conducted annually (or after major platform changes). Reports are available to Customers under a reasonable NDA.
12Customer Responsibilities
While FohBoh secures the platform, Customers are responsible for:
- Maintaining the security of their own systems (e.g., POS terminals, network, user devices).
- Protecting their FohBoh account credentials and API keys (do not share them).
- Configuring appropriate user permissions within the FohBoh platform.
- Notifying FohBoh immediately of any suspected unauthorized access to their account.
13Compliance & Certifications
FohBoh currently maintains the following security framework:
- SOC 2 Type II — in progress, expected completion by Q3 2026. Upon completion, a copy of the report will be available to Customers under an NDA.
14Reporting a Security Concern
If you discover a potential vulnerability or security incident involving FohBoh:
- Email: security@fohboh.ai
- PGP Key: Request available key at security@fohboh.ai (for encrypted submissions)
We follow a coordinated disclosure process and will not take legal action against good-faith security researchers who comply with our responsible disclosure guidelines (available at fohboh.ai/responsible-disclosure).
Security Inquiries
Privacy & DPA
15Version & Updates
This Security Overview is reviewed at least annually and updated as controls evolve. Material changes will be communicated via email or platform notice.
Current Version: 1.0 — April 6, 2026