SOC 2 Type II, GDPR, CCPA, IAB Tech Lab compliance, ads.txt and sellers.json transparency, brand-safety enforced at the auction layer, and a security disclosure policy you can actually find. Here's what we run, where the receipts are, and who to email if you find a hole.
Every certification below is current. Reports and letters are released to qualified buyers under MNDA — request via the trust desk and we'll respond inside one business day.
Annual report covering security, availability, and confidentiality. Auditor: Prescient Assurance LLC. Coverage period: Apr 2025 – Mar 2026.
Standard contractual clauses (SCCs), DPA available on request, EU data residency tier offered for Enterprise. Article 28 processor.
"Service provider" classification. We never "sell" personal information as defined by §1798.140. Opt-out signal honored end-to-end.
OpenRTB 2.6, Native 1.2, VAST 4.2, ads.txt, sellers.json, ads.cert 2.0, and TCF 2.2 conformance. TAG-ID certification in progress.
Card payments tokenized via Stripe. We never touch PAN data. Eligible for SAQ-A, the lightest PCI scope.
Stage 1 audit complete. Stage 2 (certification) scheduled for Q3 2026 with BSI. ISMS scope covers all production systems.
For health-tech publishers. We sign BAAs and run an isolated PHI-aware tier with encryption-at-rest keys held in customer KMS.
Every BBX bid request is cryptographically signed. DSPs can verify supply-chain integrity without trusting the network path.
Standard OpenRTB bcat (blocked IAB categories) and badv (blocked advertiser domains) filters run inside the eligibility loop, before Benna ever scores a bid. If your block list disqualifies every campaign, you get a clean 204 No Content — never a "best effort" placement.
bcat per request.badv applied per request and per always-on publisher allowlist.safety_score.{
"id": "bid_req_42a",
"imp": [{ "id": "1", /* ... */ }],
"site": { "domain": "cursor.com" },
// ── enforced inside BBX before scoring ──
"bcat": [
"IAB7-39", // health/pharma
"IAB8-18", // alcohol
"IAB11-4" // politics
],
"badv": [
"competitor-a.com",
"competitor-b.com"
],
"wseat": ["boostboss"],
"regs": { "ext": { "gdpr": 1 } }
}
No-bid is a feature. If every eligible campaign is filtered out by brand safety, the adapter returns HTTP 204 with no body. We never silently relax constraints to fill an impression — that's how brand-safety incidents happen on legacy networks.
If you can't trace inventory back to a publisher with a name and a domain, you don't have supply-chain integrity. Our IAB sellers.json is live, our publisher-side ads.txt template is documented, and every BBX bid request carries the standard schain object with complete=1.
| Artifact | What it is | Live URL |
|---|---|---|
| sellers.json | IAB Tech Lab declaration of every seller_id in our supply chain. DSPs fetch this to verify who they're buying from before bidding. | /sellers.json |
| ads.txt | Boost Boss's own ads.txt declaring the resellers authorized to monetize boostboss.ai inventory. Standard IAB format. |
/ads.txt |
| app-ads.txt | Same declaration scoped for native AI apps that resolve via app store metadata rather than DNS. | /app-ads.txt |
| Publisher template | The two lines every Boost Boss publisher should add to their own ads.txt at their domain root. | /publisher-ads-txt.txt |
| schain object | OpenRTB SupplyChain object attached to every outbound bid request from BBX. complete=1, single-node default, multi-node for resold inventory. |
Embedded in every BidRequest |
| ads.cert 2.0 | Every bid request is signed with our private key. Verify against the IAB Tech Lab key registry. | Public key: /ads-cert-public-key.pem |
If your AI app monetizes through Boost Boss, mirror these two lines at the root of your domain (e.g. cursor.com/ads.txt). DSPs scan ads.txt before every bid — without this declaration, your inventory may be downgraded or blocked.
# Boost Boss — authorized seller declaration boostboss.ai, boostboss-primary, DIRECT, c5e8a91f3e0d2b67 exchange.boostboss.ai, bbx-exchange, RESELLER, c5e8a91f3e0d2b67 # Optional contact line (recommended) CONTACT=sellers@boostboss.ai SUBDOMAIN=exchange.boostboss.ai
Boost Boss is built on MCP signals, not cookies. We don't fingerprint, we don't follow users across sites, and we don't keep raw text. Here's the full inventory.
| Field | Purpose | Retention | PII? |
|---|---|---|---|
| Anonymous session ID | Auction de-duplication and frequency capping within a session. | 24 hours | No |
| Intent token | Vocabulary-matched signal for ranking. Raw text discarded after match. | 30 days (aggregated) | No |
| MCP tool name | Top-of-funnel ranking signal. Tool name only — no arguments, no payloads. | 30 days (aggregated) | No |
| Host app domain | Persona proxy + publisher reporting. | 2 years | No |
| Coarse region | Region-level targeting (us-west, eu-central, apac). | 30 days | No |
| Session length bucket | <10m / 10–30m / >30m. Used in ranker. | 30 days | No |
| Auction logs | Bid request / response / win-loss. Kept for reconciliation, billing, and incident response. | 13 months | No |
| Advertiser account data | Email, name, billing address. Not used for ranking — only for the dashboard. | Account lifetime + 7 years (tax) | Yes |
What we never collect. No IP addresses past initial routing, no third-party cookie syncs, no device fingerprints, no MAID, no IDFA, no email hashes, no LiveRamp / UID2.0 / RampID, and no raw prompt text. The Benna whitepaper documents the full signal model — see benna-whitepaper.pdf §5.2.
We use a small number of vendors for hosting, observability, and billing. Every sub-processor signs a DPA and is subject to the same audit cadence as our internal systems. Material changes are announced 30 days in advance via subprocessors@boostboss.ai.
| Vendor | Service | Data category | Region |
|---|---|---|---|
| Vercel | Edge runtime & CDN | Anonymous request metadata | Global (multi-region) |
| Supabase | Postgres & auth | Account & campaign data | US-East / EU-West |
| Cloudflare | DDoS & WAF | Edge request headers | Global |
| Stripe | Payments | Billing & tax data | US |
| Datadog | Observability & APM | Service telemetry (no PII) | US |
| Anthropic | Creative review LLM | Ad copy text only | US |
| AWS S3 | Long-term log archive | Aggregated auction logs | us-east-1 (KMS-encrypted) |
Encryption everywhere, least-privilege everywhere, audit logs on every privileged action, and a paid bug bounty for anyone who can prove us wrong.
If you've found a security issue — auction manipulation, cross-tenant data leak, RCE in a worker, anything — we want to hear from you, and we pay.
PGP key, scope, safe-harbor terms, and submission form live at security@boostboss.ai and in our /.well-known/security.txt per RFC 9116.
Contact: mailto:security@boostboss.ai Expires: 2027-04-16T00:00:00.000Z Encryption: https://boostboss.ai/pgp-key.txt Acknowledgments: https://boostboss.ai/trust#hall-of-fame Preferred-Languages: en Canonical: https://boostboss.ai/.well-known/security.txt Policy: https://boostboss.ai/trust#disclosure
Reports and signed agreements are released under MNDA. Send the request, we'll respond inside one business day with a DocSend or signed PDF.
Full Prescient Assurance report covering the 12-month observation window.
View attestation →GDPR-compliant DPA with SCCs, Annex II tech & org measures, and EU rep contact.
View DPA →Business Associate Agreement for health-tech publishers. Includes PHI-aware tier addendum.
Request →Latest external pentest letter — scope, methodology, findings, remediation status.
Request →$10M cyber liability + $5M E&O coverage. COI issued to your account from our broker.
Request →Full architecture, training protocol, and A/B evaluation. No NDA required.
Download →Outages, security incidents, and material privacy events all run through the same well-rehearsed playbook. Customers see status, remediation, and a public post-mortem — not silence.
| Sev | Definition | Customer comms |
|---|---|---|
| SEV-1 | Production outage or active security incident | Status page within 5 min · status@ |
| SEV-2 | Partial degradation or data integrity risk | Status page within 15 min |
| SEV-3 | Single-customer issue or non-critical bug | Direct ticket follow-up |
| SEV-4 | Cosmetic / observability gap | Tracked, no comms |
If we discover or are notified of a personal-data breach affecting your data:
Live status: status.boostboss.ai · Subscribe via RSS, Slack, or email.
We answer in plain English and inside one business day. No vendor questionnaire is too long, no security review is too detailed, no DPA addendum is off the table.