Standards Handbook · BSH v1.0

What we measure against.

Concrete, versioned specifications by which the platform is operated, audited, and held to account. The Charter declares; the Standards measure. Eight standards. Each measurable.

Document ReferenceBSH · 1.0
Issued
Boby Pty Ltd
Version
1.0
Effective
2026
Review
Annual
Status
Active
Standards
Eight
Table of Contents
Eight standards. Each measurable.
BSH
01
Verification Layer
v1.0

Credential Verification Standard

Defines the credentials that must be verified, the method of verification, and the cadence at which verification is repeated for every Firm and Officer on the platform.

CredentialMethodCadenceOn Lapse
Master Security LicenceCross-check against state regulator registerDailyFirm Suspended
Individual Officer LicenceRegulator register lookup by Officer IDDailyOfficer Suspended
Public Liability InsuranceCertificate of Currency on file · expiry trackedWeekly + 30 days before expiryFirm Suspended
Professional IndemnityCertificate of Currency · expiry trackedWeekly + 30 days before expiryFirm Suspended
HLTAID First Aid / CPRCertificate uploaded · expiry tracked per OfficerMonthly + 60 days before expiryOfficer Suspended
National Police CheckValidity window per regulatory requirementPer regulatory cycleOfficer Suspended
Working with ChildrenState register lookup where role-relevantDailyOfficer Suspended
Specialist EndorsementsCategory-specific verification per typeVaries by endorsementEndorsement Revoked
BSH
02
Network Composition
v1.0

Identity & Onboarding Standard

Governs who may enter the Boby network, by what process, and what standing they hold on admission.

Invitation required. No participant enters the network without invitation from an existing member or Boby directly.
Firms must hold a current Master Security Licence at the time of application and continuously thereafter.
Officers must be employed by a Firm at the time of onboarding. Officers do not enter the network independently.
Users (Peelers) enter through a Firm sponsor or community organiser already in the network.
Identity verification is performed at onboarding for all participant types. The method is documented in the platform's Identity Verification Protocol (IVP-1.0).
Onboarding review window: 5 business days for Firms; 24 hours for Officers sponsored by an active Firm; 48 hours for Users.
BSH
03
Visible Verification
v1.0

Insignia & SIS Network Standard

Defines the physical and digital insignia issued to verified participants, the conditions under which insignia may be worn or displayed, and the revocation process.

ItemIssued ToCondition of IssueRevocation Trigger
SIS Sleeve PatchOfficersActive licence + Firm sponsorshipLicence lapse · Firm exit · 7 day removal window
SIS Roundel / Vehicle DecalFirmsActive Master Licence + all Officers currentMaster Licence lapse · immediate
Digital Verified Badge (QR)Officers + FirmsAll credentials currentAny credential lapse · automatic revocation
SIS Letterhead MarkFirmsActive in networkNetwork exit · 14 day phase-out window
BSH
04
User Sovereignty
v1.0

Companion & Vault Operational Standard

Defines how the AI Companion (Kaksos) is bonded, how the Sovereign Vault is operated, and what protections apply to User data at each phase of platform development.

Phase 1 Current
Encryption key in Secret Manager
Boby holds the key in Google Secret Manager. Policy commitment: no access without lawful order or explicit User instruction. Auditable. Transparent.
Phase 2 Planned
User-controlled key derivation
Encryption key derived from User-held secret. Boby cannot decrypt vault content even if compelled. Architecture in design.
Phase 3 Future
Distributed key custody
Key custody distributed across jurisdictions. No single party can compel decryption. Timeline subject to regulatory environment.
BSH
05
Open Standards
v1.0

SVF-1.0 Sovereign Vault Format

The open standard for Sovereign Vault export. Defines the schema, hash-chain format, and verification method used when a User exports their vault record.

Format: JSON-LD with SHA-256 hash chain. Each entry contains a content hash and back-reference to the previous entry hash.
Verification: Any party can re-compute the hash chain from the exported file and confirm integrity without accessing Boby's servers.
Portability: The format is published openly. Any compliant application can read and display a Sovereign Vault export.
Backwards compatibility: SVF-1.0 exports remain readable by any SVF-1.x-compliant application in perpetuity.
BSH
06
Operational Layer
v1.0

Demand Routing & Service Delivery

Governs how demand flows from Users and Property Owners to Firms, and the boundaries of the platform's role in the service transaction.

Routing is by category and postcode. Demand is matched to Firms subscribing to the relevant category in the User's postcode.
No ranking. Where multiple Firms serve the same postcode and category, demand is not ranked. The floor (verified standing) is the criterion, not a score.
Boby does not process service payments. Payment flows directly between User/Property Owner and Firm. The platform has no role in the financial transaction for services delivered.
Boby takes no commission on service revenue. Firm revenue from services is 100% retained by the Firm. Boby earns subscription revenue only.
BSH
07
Resolution Layer
v1.0

Dispute & Local Resolution

Defines the escalation pathway when a dispute arises, and the role of the local Firm sponsor as the first point of human resolution.

1
First tier: User raises matter with their Kaksos (AI Companion). Companion attempts resolution or routes to Firm sponsor.
2
Second tier: Firm sponsor in the User's postcode is notified. A licensed Officer attends or contacts the User within the Firm's stated response window.
3
Third tier: If the Firm sponsor cannot resolve the matter, Boby's platform team is escalated. Resolution is documented in both parties' records.
4
Lawful orders: Where a court of sufficient jurisdiction issues a lawful order, Boby complies. No vault content is accessed without this or explicit User instruction.
BSH
08
Infrastructure
v1.0

Platform Security & Data Protection

Defines the infrastructure security standards, data residency requirements, and breach notification commitments for the Boby platform.

Infrastructure: Google Cloud Platform, australia-southeast1. Compute on Cloud Run. Databases on Cloud SQL PostgreSQL 14. Frontend on Cloudflare Pages.
Data residency: All User data held in Australia. No cross-border transfer of vault content without User instruction and lawful basis.
Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256). Vault content additionally encrypted with per-User key.
Breach notification: Affected Users notified within 72 hours of any confirmed breach involving their data. Regulator notification as required by law.
Penetration testing: Annual third-party penetration test. Results reviewed by the platform team. Critical findings remediated before next release cycle.