Security

Security and Data Protection at Boafo Agent

Boafo Agent is operated by DefendVista Ltd, a UK cybersecurity consultancy (company number 17064284, ICO registration ZC101247). Your AI Employee handles real customer conversations, so we treat that data the way a security-led B2B SaaS should: tenant isolation, encryption in transit and at rest, documented sub-processors, and a clear path to export or delete data on demand.

Live in production with real customers. Trained on your business before launch.

What's getting in the way today

  • Customer conversations are sensitive; vendors must not mix them across tenants.
  • EU and UK buyers need data hosted in the right region.
  • GDPR and the UK Data Protection Act require export and deletion on request.
  • AI vendors that train on your prompts by default are a leak risk.
  • Procurement teams need a clear, auditable security posture, not vague claims.

How Boafo Agent secures your AI Employee data

Who we are: Boafo Agent is operated by DefendVista Ltd, a UK cybersecurity consultancy registered at 124 City Road, London, EC1V 2NX (company number 17064284). Our team's day job is defensive security, which shapes how the product is built.

Every customer is a separate tenant. Conversations, leads, calendar bookings and admin data are isolated using row-level security in the database, so no tenant can ever read another tenant's data, even through the API.

Hosting: application data is stored in a managed Postgres database in the European Union with encryption at rest and TLS 1.2+ in transit; edge routing runs on Cloudflare with primary UK and EU points of presence. Secrets and API keys are stored in a managed vault, never in code.

We do not train shared AI models on your customer conversations. Your data powers your AI Employee, not anybody else's.

Export and deletion are first-class operations. You can pull every conversation and lead as JSON or CSV from the admin console, and request full deletion at any time with confirmation.

Data Processing Agreement: a DPA aligned with UK GDPR Article 28 and the EU SCCs is available on request for all business customers before go-live. Our current sub-processor list and the transfer safeguards for each are published in the Privacy Notice.

Breach notification: we commit to notifying affected customers without undue delay and, where required, within 72 hours of becoming aware of a personal data breach, in line with UK GDPR Article 33 obligations.

Example conversation

Procurement:Where is our data hosted and how is it isolated?
AI:EU and UK data is hosted in EU regions. Tenants are isolated at the database level with row-level security, so no other tenant can read your data, even via the API.
Procurement:Do you train shared models on our conversations?
AI:No. Your data powers your AI Employee only. We do not train shared models on your customer conversations.

Why teams choose Boafo Agent for this

Tenant isolation via RLS

Row-level security in the database means no cross-tenant data access, ever.

Data residency

Application data stored in a managed European Union region.

Encryption in transit and at rest

TLS 1.2+ in transit and provider-managed encryption at rest on all stored data and backups.

No shared model training

Your conversations are never used to train other tenants' models.

Export and delete on demand

Pull all your data as JSON or CSV; request full deletion at any time.

Managed secrets

API keys and credentials live in a managed vault, never checked into code.

DPA on request

A UK GDPR Article 28 Data Processing Agreement is available for business customers on request.

Operated by a UK cybersecurity consultancy

DefendVista Ltd, company number 17064284, registered in England.

Where the ROI shows up

Tenant isolation
RLS
row-level security in the database
Data residency
EU / UK
for EU and UK tenants
Export and delete
On demand
from the admin console

Security is not a paid add-on. Every tenant on Boafo Agent gets the same isolation, encryption and data-residency posture, including on the entry plan.

Live in production

AddressCore and other Boafo customers run in production today under the same tenant isolation and data-residency model described on this page.

Read customer stories →

Frequently asked questions

Is Boafo Agent aligned with UK GDPR and the Data Protection Act?

Yes. Boafo Agent is operated by DefendVista Ltd. Tenant isolation is enforced at the database level, sub-processors are documented in the Privacy Notice with transfer safeguards, and export and deletion are available on demand. A DPA is available on request.

Where is data hosted?

Application data sits in a managed Postgres database in the European Union with edge routing via Cloudflare. Other regions may be available on request for higher-tier plans.

Do you train shared AI models on our data?

No. Your customer conversations are used to power your AI Employee only. They are never used to train shared or third-party models.

How is data isolated between tenants?

Every row in the database is tagged with a tenant ID and enforced by row-level security policies. No tenant can read another tenant's data via the app or the API.

How do we export or delete our data?

Export is a one-click action from the admin console (JSON or CSV). Deletion is requested from the admin console and confirmed in writing.

Do you support DPAs?

Yes. DefendVista Ltd signs a Data Processing Agreement aligned with UK GDPR Article 28 before you go live on paid plans.

Do you have SOC 2 or ISO 27001?

Formal certification is on the roadmap. We follow the controls and document them in our security posture; talk to us if you need the full questionnaire.

What about sub-processors?

Our current sub-processors are listed in the DPA. Material changes are communicated to customers in advance.

See it work on your own site.

Book a 20-minute demo. We train your agent on your live website before we meet, then show it answering your real customer questions. You leave with a working agent and a quote, or nothing changes.