Boondoggle

Security

Boondoggle is built for live event operations where guest, sponsor, lodging, activity, billing, and day-of coordination data must be available to the right people and protected from everyone else.

Last updated: June 3, 2026

Overview

This page summarizes the safeguards we use to protect customer data. It is intended as a practical overview for customers, procurement teams, counsel, and security reviewers. A signed customer agreement, data processing addendum, or security exhibit may include additional commitments for a covered account.

We describe controls at a useful level without overstating guarantees. No internet service can promise perfect security, and no event operations platform can remove every operational risk from a live event.

Shared Responsibility

Boondoggle protects the application, infrastructure configuration, private file access paths, access-control model, audit trails, and vendor relationships that support the service. Customers remain responsible for deciding what information belongs in Boondoggle, inviting the right people, assigning appropriate roles, reviewing access, configuring integrations, and training users.

Access Control

  • Authenticated workspaces are protected by login and session controls.
  • Customer data is scoped by organization and event, with role-based access for admins, coordinators, viewers, volunteers, staff, sponsor contacts, and internal platform operators.
  • Sponsor portal access is limited through invitation, sponsor-specific context, and sponsor-specific permissions.
  • Sensitive staff and platform routes require staff-role checks in addition to normal authentication.
  • Customers can reduce risk by using least-privilege access and removing people who no longer need event or sponsor access.

Application Safeguards

  • Event and organization writes are designed to run through authorized server actions and service-layer checks.
  • Public routes are explicitly allow-listed; authenticated application routes are protected by default.
  • Customer data access is designed around organization, event, sponsor, staff-role, and portal boundaries.
  • Uploaded files use private storage paths and controlled download or rendering routes rather than unrestricted public URLs.
  • Service code is structured around authorization checks, validation, service-layer business logic, and audit logging for important operational changes.

Infrastructure and Data Protection

  • Boondoggle uses reputable cloud providers for application hosting, database infrastructure, private file storage, email delivery, and related operational services.
  • Network traffic is protected with HTTPS in production.
  • Production security headers restrict framing, object embedding, and other browser behaviors that commonly create web security risk.
  • Customer files are stored in private buckets and accessed through controlled application paths.
  • Operational backups and retention controls are maintained for event continuity, recovery, legal, billing, audit, and security needs.

Vendors and Integrations

We review subprocessors and integration providers based on the service they provide, the type of data they process, and their relevance to Boondoggle. Our current public list is available on the Subprocessors page.

Customer-enabled integrations, such as QuickBooks, CRM/webhook destinations, email workflows, analytics, and AI-assisted features, process data when a customer connects, configures, enables, or uses that integration. Those third-party services are also governed by their own terms and privacy practices.

Logging, Audit, and Monitoring

  • Audit logs record important account, event, sponsor, billing, import, export, and operational changes.
  • Security and operational logs help us investigate errors, suspicious activity, denied access, integration delivery, rate limits, and service health.
  • Logs are used to secure and operate the service, support customers, troubleshoot incidents, and satisfy legitimate business, legal, and audit needs.

Incident Response

If we identify a security incident that affects customer data, we will investigate, take reasonable steps to contain and remediate it, and notify affected customers as required by applicable law and customer agreements.

Customers should promptly report suspected unauthorized access, credential compromise, suspicious event exports, or integration misconfiguration so we can investigate with the right context.

Customer Responsibilities

  • Use strong passwords and protect account credentials.
  • Promptly remove users who no longer need access.
  • Review sponsor portal contacts, staff invitations, platform roles, and event roles before sharing live event data.
  • Avoid entering sensitive information that is not necessary to run the event.
  • Review customer-enabled integrations before syncing event, sponsor, attendee, invoice, or CRM data to third-party systems.
  • Maintain appropriate privacy notices, permissions, consents, and lawful bases for the event data customers provide to Boondoggle.

Security Questions and Reports

Questions about Boondoggle security, vendor review, or responsible vulnerability reporting can be sent to hello@boondoggle.events.

Security commitments for a specific customer account may also be documented in an order form, DPA, security exhibit, or other written customer agreement.