Who has access to my sales data?

Only you and the team members you explicitly invite. Verified Boloo engineers have technical access for support and maintenance, but every action is logged and only performed on request. We never look at your data without a reason.

Where is my data physically stored?

In ISO 27001 certified data centers in Germany. This keeps your data within the European Union and under the strict European privacy regime (GDPR plus the German BDSG) — not under the US Cloud Act or similar regulations.

What happens in case of a data breach?

We have an incident response procedure. In case of a proven data breach involving personal data, we report it to the Data Protection Authority (mandatory under GDPR) and inform the affected users directly with concrete action points.

Can I export or take my data with me?

Yes. You have the right to data portability under GDPR, and we facilitate that — contact support, and you'll receive an export in a common format (JSON, CSV).

What happens when I cancel my account?

Your data will be permanently deleted within the legal retention periods. Certain administrative data (e.g., invoices) must be retained for 7 years according to tax law — those are then decoupled from your profile and only accessible to our administration.

What if I lose my 2FA device?

When activating 2FA, you receive 10 recovery codes — store them in a safe place (password manager, printed copy, or a locked drawer). With one of those codes, you can log in again and reconfigure 2FA. Lost all codes? Contact support; we'll go through an identity verification before resetting 2FA.

Do you sell my data or use it for advertising?

No. Your sales data, inventory, and customer data are only accessible to you and your team. We don't sell, rent, or share data with third parties for marketing or profiling purposes. The only purpose we use your data for is providing the Boloo functionality.

How do I report a security issue?

Found a vulnerability? Email us via support@boloo.co with "security" in the subject, and we'll direct your report internally to the right team. We appreciate responsible disclosures and respond in principle within one working day. Don't exploit the vulnerability, don't share it publicly before we've fixed it, and don't access other users' data.

Security

Your sales data, protected at bank level

Your bol.com revenue, inventory, and customer data are sensitive business information. On this page, you'll read exactly how Boloo protects them — no marketing talk, just the actual technical measures you can verify.

Ask the security team

Phishing-resistant authentication

Passkeys (FIDO2), two-factor authentication, and Google SSO — the most modern methods to log in without a password that can be stolen

Encryption at all levels

AES-256 for stored data, TLS 1.2+ for data traffic, and industry-standard hashing for passwords and 2FA secrets

Hosting in Germany

ISO 27001 certified data centers within the EU — 24/7 monitoring and strict access control

Authentication done right

The weakest link in most online accounts is the password. That's why we've built in three more modern alternatives — you choose which one you use.

Passkeys (FIDO2 / WebAuthn)

Log in with your fingerprint, face, or a hardware key like a YubiKey. A passkey is cryptographically bound to boloo.co — even a perfectly crafted phishing page can't phish it. Since 2024, the recommended industry standard by Apple, Google, and Microsoft.

Two-factor authentication (2FA)

In addition to your password, we ask for a 6-digit code from your authenticator app (1Password, Google Authenticator, Authy). Works offline, is independent of SMS (which can be bypassed via SIM-swap attacks), and the secret key is stored encrypted on our servers.

Google SSO

Use your existing Google account to log in — Google handles the identity verification. You can also activate 2FA on top of Google for an extra layer.

Login security at API level

Our login endpoints are actively rate-limited against brute-force attacks, and behave identically for existing and non-existing accounts — an attacker can't infer from response times whether an email address is known to us.

Encryption of data, at every level

Encryption is only valuable if it's applied consistently everywhere. That's why we cover every layer:

At rest — AES-256

Files in our storage are encrypted with AES-256, the same algorithm used by the US government for top-secret documents.

In transit — TLS 1.2+

All traffic between your browser and our servers runs over HTTPS with modern cipher suites. No outdated TLS 1.0/1.1 support, no unencrypted fallbacks.

Passwords are stored unreadable

Passwords are never stored in plain text. We use an industry-standard hash pipeline that's intentionally slow, making brute-force attacks on stolen hashes infeasible. Even our own engineers can't read your password.

2FA secrets encrypted at rest

The secret key used by your authenticator app is stored encrypted in our database with a validated combination of symmetric encryption and authentication. A database dump won't yield working 2FA codes.

Recovery codes visible only once

The 10 recovery codes you receive when activating 2FA are encrypted and stored immediately after display. We only see the codes once — then only the encrypted version.

Infrastructure you can trust

We don't build our own data centers. We use the best ones — and make sure our configuration doesn't compromise their security profile.

Hosting within the European Union

Our servers run in data centers in Germany. This keeps your sales data under European law — including the GDPR, the German BDSG, and the strict requirements the EU sets for data processing. Not under the US Cloud Act or similar laws.

ISO 27001 certified

Our hosting partner is certified according to ISO 27001 (information security), ISO 27017 (cloud-specific controls), and ISO 27018 (protection of personal data). Independent auditors verify these certifications annually.

Strict access control

Only a limited group of verified team members has access to production systems, and only when necessary for support or maintenance. No shared accounts, no password spreadsheets.

24/7 fault monitoring

An industry-standard monitoring platform watches every request and every background task. A deviation, error, or suspicious pattern triggers an alert within seconds — we often see problems before you experience them.

Privacy and compliance

Security isn't just about keeping hackers out. It's also about what we do and don't do with your data. The full details are in our privacy statement.

GDPR compliant

Fully compliant with the General Data Protection Regulation. You have the right to access, rectification, erasure, restriction, and data portability — arranged in our processes and detailed in our privacy statement.

Data is yours

We never sell your data to third parties for advertising, profiling, or any other purpose. Your sales data is only used to provide the Boloo functionality.

Minimal data processing

We only store what we need to help you sell successfully on bol.com. No hidden tracking, no unsolicited profiling.

Deletion on request

Want to cancel your account? Your data will be permanently deleted within the legal retention periods — not "archived" or "anonymized" with a re-identifiable ID.

Frequently Asked Questions

Privacy Statement — how we process personal data under the GDPR.
Terms and Conditions — the agreements that apply between you and Boloo.
Contact — questions about our security measures or reporting a vulnerability.