This document contains complementary information about Bookalope and its technologies. In no way does it relate to or extend our current Terms and Conditions or Privacy Policy, and it does not create any legal commitments.
This document is subject to change as we continue to develop Bookalope.
2.1 Overview
A number of standards and recommendations exist to control and to establish responsibility for the development, deployment and maintenance of software infrastructures. The most relevant* for Bookalope are ISO 27001, SOC 2 and the General Data Protection Regulation (GDPR) of the European Union.
2.2 Our commitment
Bookalope aligns with the ISO 27001 standard and the SOC 2 recommendations, and it complies with the GDPR. We are committed to continuously invest the utmost care and our expertise into how we design, develop, deploy and maintain our software tools and infrastructure in order to deliver the performance, stability, privacy and security to our customers as outlined in those standards and recommendations.
3.1 Authentication
Users may authenticate themseves using an email address and password, where a password must meet certaint strength requirements and is stored securely as a hash.
Alternatively, users may authenticate themselves using an authentication provider of their choice, for example Google, Microsoft, or LinkedIn.
Bookalope does not currently support single sign-on (SSO) with other corprorate authentication providers.
3.2 Authorization
An authenticated user has exclusive access to their own data only, and has no authorization to access another user’s data.
3.3 Encrypting data in transit
All traffic to Bookalope runs over an SSL-encrypted connection using a 2048-bit RSA public key, and Bookalope accepts traffic only on port 443. In addition, all websites and API endpoints provide HTTP Strict Transport Security (HSTS) headers, to ensure connections are made with SSL.
Encryption keys and certificates are created using the Let’s Encrypt service.
3.4 Encrypting data at rest
Bookalope persists all data in a relational database with table encryption enabled.
3.5 Payments
Bookalope neither transmits nor stores credit card and other payment information.
We use Stripe, a PCI Level 1 compliant payment processor to handle all credit card and other payment transactions, and all credit card and payment information is exchanged between the user’s machine and Stripe directly. All traffic between the user and Stripe is encrypted in transit.
4.1 Data segragation
Authenticated users have no authorization to access the information and data of another user (see also section 3.2.), and user data is segragated from one another using unique identifiers for each data object stored in a relational database.
4.2 Data retention after profile deletion
Authenticated users may delete their own profile at any time, which purges and physically removes all data associated with the user’s profile. Deleted data remains in a rotating backup log for a certain amount of time until that log is deleted, too.
4.3 Personally identifiable information
A user is required to provide an email address when creating a new profile with Bookalope. That email address is the only personally identifiable information (PII) a user is required to provide. If a user chooses to create a new profile using an authentication provider (see section 3.1.) then only the user’s email address is requested from that provider. A user’s name is optional. No other PII is asked of a user.
5.1 Hosting
All of Bookalope’s services are self-hosted on dedicated Linux servers provided by Strato, an ISO 27001 certified and highly secured data center.
5.2 Monitoring and logging
Bookalope continuously monitors network traffic at its ports and deploys standard virus checkers and intrusion detection tools.
For the purpose of monitoring and debugging after an incident, Bookalope retains log information of all user activities. Stored log information rotates daily, and is deleted after seven (7) days.
5.3 Incident notification
Bookalope monitors uptime and site availability. Key employees receive automatic email and instant-message notifications in the case of downtime or emergencies.
In the event of a security breach detection, we have created procedures for resolute reactions, including turning off access to the web application, token invalidation and password reset, and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all our customers as quickly and openly as possible individually or at bulk using the users’s registered email addresses.
5.4 Vulnerability disclosure
We invite anyone to notify us of issues they might find in our application. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours. Please use our Contact us page to notify us.
Critical vulnerabilities impacting users are communicated as per section 5.3.
6.1 Organization
We require all employees to use strong and unique passwords for their Bookalope accounts, and to set up two-factor authentication with each device and service where available.
Access to application administrative functionality is restricted to trusted and qualified Bookalope staff only.
6.2 Best practices
Our small engineering team consists of highly skilled, trained and experienced professionals.
Code, infrastructure and deployment reviews are common practice, and a suite of software QA tools continuously used to automatically vet the code that is checked into our repositories. Every code change is uniquely versioned and tamper proof. Third-party package dependencies are continuously checked to ensure a safe and secure software supply chain that underlies all our services (see also SLSA).
6.3 Releases
Bookalope does not have a regular release schedule. Instead, Bookalope releases a new version as soon as a critical issue is fixed, or whenever a set of new features is considered stable.
Bookalope’s current version number can be found at the bottom of the web application page.
6.4 Dogfooding
At Bookalope we use our own software (dogfooding).
All current major browsers (for example Chrome, Firefox, Edge, Opera) are supported on most platforms (for example on Windows, Mac, Linux, Android, iOS) to use Bookalope’s web interface.
Bookalope’s REST API (documentation) can be used by any HTTP client that is able to use SSL and send and receive JSON.
Bookalope does currently not carry cyber insurance.
This Complementary Information document was last updated on 13 December 2025.
* Further standards and regulations are ISO 27701; the National Institute of Standards and Technology (NIST) provides Privacy Guidelines and a Cyber Security Framework; the Essential Eight by the Australian Cyber Security Centre and the Cyber Essentials by the National Cyber Security Centre of the UK; and more. With respect to Artificial Intelligence in particular exist ISO 42001, the AI Act by the European Union, and NIST’s AI Risk Management Framework. Perhaps less relevant for Bookalope, but nontheless related are the California Privacy Rights Act and the California Consumer Privacy Act; the Security Guidelines by the Cloud Security Alliance; and the US Federal Cybersecurity Maturity Model Certification Program.