Trust & Security

How we protect your data

Bougain is built on the principle that your people's data belongs to your organisation — not us. Here is exactly how we handle it.

Encryption

Data in transit

All communication between clients and our servers is encrypted using TLS 1.2+.

Data at rest

Sensitive fields are encrypted at the application layer using AES-256-GCM before being stored in the database. This includes raw Slack message content and Slack bot tokens.

Passwords

User passwords are hashed using bcrypt with a work factor of 12 — never stored in plaintext.

Database

The database connection enforces TLS. The database itself is hosted on Neon.tech, which encrypts all data at rest at the infrastructure layer.

Data Residency

All data is stored and processed in the United States (AWS us-east-1)via Neon.tech. The API server runs on Railway, also in the US. The frontend is served globally via Vercel's CDN — no customer data is cached at the edge.

Enterprise customers with specific data residency requirements (EU, APAC) should contact us to discuss options.

Data Retention

Raw Slack messages

Retained for a configurable period (default 90 days) after which the raw text is permanently deleted. Org admins can adjust this between 30 and 365 days from the Admin dashboard.

AI-generated summaries

Retained for the lifetime of the account. This is the core product value — the growth record your employees build over time.

Growth event metadata

Hashtags, categories, timestamps, and Slack message links are retained for the lifetime of the account.

Slack bot token

Deleted immediately when your org uninstalls Bougain from Slack.

User accounts

Deleted upon a verified erasure request. See Right to Erasure below.

Contact form submissions

Retained for up to 2 years for business purposes.

Subprocessors

Bougain uses the following third-party subprocessors to deliver the service. We do not sell data to any third party.

Right to Erasure

Employees and org admins may request deletion of their data at any time. To submit an erasure request, contact us at the address below. We will action all verified requests within 30 days.

Erasure & Privacy Requests

Phone: +91-7676740120

Or use the contact form and select “Data erasure request” in your message.

Access Control

Bougain enforces role-based access control across all API endpoints. Employees can only access their own data. Managers can only access their direct reports' timelines. Admins have org-wide access. All access is scoped by organisation — no cross-org data leakage is possible.