Infrastructure
Bokko's primary application infrastructure and database run on Google Firebase / Google Cloud Platform (GCP) in the europe-west1 (Belgium) region — primary data storage and backend processing take place within the EU.
- Database: Google Cloud Firestore — with native data durability and platform-level replication
- Backend: Firebase Cloud Functions — serverless, isolated execution environment
- Hosting: Firebase Hosting — Google-managed SSL certificate, HTTP not permitted
- Authentication: Firebase Authentication — Bokko never sees or stores passwords in plaintext
Access & encryption
Encryption
- All data travels over HTTPS/TLS protected channels; transport security parameters are managed by the Google/Firebase infrastructure layer
- Data at rest is protected with AES-256 encryption (Google platform-level control)
Access control
- Default deny: access is only permitted with explicit authorisation — anything not allowed by the rules is denied
- Data isolation: each provider can only access their own data; access to other subscribers' data is technically impossible
- Critical operations: billing and subscription status changes cannot be performed from the client — only via backend components
- Admin access: Firebase Console protected with MFA; access to the production infrastructure is restricted and minimised
- Secrets: API keys and webhook secrets are stored in Google Cloud Secret Manager; they never appear in code
Monitoring
Critical and security-relevant events are logged and monitored. When an incident is detected, we follow our internal incident response procedure.
Backups & recovery
Several recovery and backup controls are active on Bokko's Firestore database:
- Point-in-time recovery (PITR): 7-day recovery window — in case of accidental deletion or faulty write, any prior data state within the window can be restored
- Daily backup: automatic, retained for 14 days
- Weekly backup: automatic (every Monday), retained for 84 days
Backend components can be redeployed from version-controlled source.
Data handling & retention
Bokko applies a retention policy and removes expired data through an automated, scheduled process:
- Closed bookings: deleted after 24 months
- Inactive guest profiles: deleted after 24 months of inactivity
- Billing records: retained in accordance with applicable accounting legislation
Details: Retention & deletion policy
Payment security
Bokko does not handle or store payment card data. Payments are processed via Stripe Hosted Checkout — card data is processed exclusively within Stripe's infrastructure. Stripe is a PCI DSS Level 1 certified provider.
Bokko only receives transaction status and billing metadata, via a webhook channel with signature verification and replay protection.
GDPR & data protection
Bokko's data handling and processing practices have been designed with GDPR requirements in mind.
- Privacy policy: detailed description of purposes, legal bases and data subject rights
- Data processing agreement (DPA): GDPR Art. 28 data processing agreement for all active subscribers
- Data subject rights (DSAR): access, erasure, rectification and portability requests handled via support@bokko.app, within 1 month
- Incident response: in the event of a data breach, we act in accordance with applicable GDPR obligations, including supervisory authority notification where required
- Sub-processors: the full list and applicable data transfer safeguards are publicly available
Documents: Privacy policy · DPA annex · Sub-processors
Third-party providers
Bokko uses the following infrastructure and communications providers. Details of data transfer safeguards and compliance frameworks for each provider are available in the sub-processor register.
| Provider | Role | Compliance framework |
|---|---|---|
| Google Firebase / GCP | Infrastructure, database, authentication, hosting | ISO 27001, SOC 2 Type II, DPF, SCC |
| Stripe Inc. | Payment processing (Bokko billing) | PCI DSS Level 1, SOC 2 Type II, DPF, SCC |
| Twilio Inc. | SMS notifications | ISO 27001, SOC 2 Type II, DPF, SCC |
| Mailjet (Sinch) | Email notifications | Primarily within the EEA; SCC where applicable |
Contact
-
Privacy enquiries and data subject rights (DSAR):
support@bokko.app -
Security disclosures:
If you discover a vulnerability, please contact us by email before public disclosure so we have the opportunity to fix it — support@bokko.app - Operator: Mácsik Dávid E.V.