Infrastructure
Bold GEO runs on AWS (eu-west-1, Ireland) for the dashboard and API, with Cloudflare in front for CDN and DDoS protection. The daily query pipeline runs on isolated worker pools, with no inbound network exposure. All inter-service traffic is mTLS.
Data at rest & in transit
All customer data is encrypted at rest (AES-256, AWS KMS-managed keys). All traffic to and from boldgeo.co and app.boldgeo.co uses TLS 1.3, with HSTS preload, strict MIME-type sniffing protections, and a Content Security Policy that blocks third-party script execution outside of an allowlist (analytics, fonts).
Access controls
Employee access to production data follows least-privilege: read-only by default, write access scoped to specific incident response. All admin actions are logged and reviewed weekly. SSO with hardware-key 2FA is required for every employee.
Compliance & certifications
- SOC 2 Type I - in progress, audit window closes Q3 2026
- GDPR - full compliance; we are the data processor for analytics data, data controller for account data; DPA available on request
- CCPA - full compliance
- NZ Privacy Act 2020 - full compliance
Responsible disclosure
If you believe you've found a security issue, please email security@boldgeo.co before any public disclosure. We commit to a first response within 24 hours and to publishing a fix or status update within 5 working days for confirmed issues.
Bug bounty
We pay €100–€5,000 for valid, previously unreported security findings, scaled to severity. See security@boldgeo.co for scope and rules of engagement.
Subprocessors
- AWS - infrastructure (eu-west-1)
- Cloudflare - CDN, DDoS, edge cache
- Stripe - billing
- Postmark - transactional email
- Anthropic, OpenAI, Google, Microsoft, Perplexity - AI inference for the daily query pipeline (no customer PII transmitted)