BoardSpot Security
BoardSpot is trusted by thousands of users from around the world, and we don't take that trust lightly. The security of our customers' data is of paramount importance to us. BoardSpot maintains the highest of security practices throughout the entire technology stack and all of our business practices.
Every user has the option to enable Multi-Factor Authentication on their account, ensuring that even in the event that their password were somehow compromised, a bad actor would not be able to log into BoardSpot without also having access to that user's phone.
Every user logs into BoardSpot with their own unique email and password combination. Passwords are salted with 64 bits of data, and encrypted with a SHA-512 encryption method. This means that passwords are a one-way process. We can only verify that the password a user enters matches the one stored in the database, and can never retrieve or recover passwords.
All documents are encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.
All credit card and related sensitive information is managed by
Stripe. From Stripe's security documentation (1/1/2023):
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.
_
Our Web Application Firewall helps protect BoardSpot by filtering and monitoring HTTP traffic between the web application and the internet. It actively monitors traffic, and protects against several types of attacks, including cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection. The WAF in place is a Layer 7 defence (the top layer in the seven-layer OSI model, covering the application layer). The WAF sits in-between our servers and the internet, and is managed by CloudFlare. The WAF acts as a shield against a whole host of attacks. The firewall operates on a suite of rules that are optimized for the type of services that BoardSpot runs, and are updated from time to time
BoardSpot leverages the vast, global network of our security partner, CloudFlare to protect against Distributed Denial of Service (DDoS) attacks. DDoS protection is implemented in several different layers. The first layer of protection is the HTTP DDoS attack protection, which operates at the Application Layer (Layer 7 in the OSI model). HTTP DDoS protection blocks distributed attacks using a set of rules that are constantly managed and updated by CloudFlare as new attack vectors are discovered. BoardSpot benefits from the 112 billion daily threats that CloudFlare blocks each day.
BoardSpot's code is deployed to a read-only file system, ensuring that code cannot be added or updated without first going through the authorized code deployment channels. All code changes are secured and auditable. This neutralizes many of the most popular types of security vulnerabilities found on the internet.
BoardSpot's infrastructure is updated on an ongoing basis to ensure that the underlying software and libraries remain current with all the latest versions.
Browser security is of critical importance to ensuring the overall security of BoardSpot, so we enforce a very strict set of requirements on which browsers are allowed to access both the public website and the portal itself. While all modern browsers are supported, this does mean that Internet Explorer, for example, is not allowed to access the website.
BoardSpot ensures that all traffic is encrypted over HTTPS with TLS version 1.2 at a minimum.
We regularly audit the details of our implementation, including:
the certificates we serve
the certificate authorities we use
and the ciphers we support
We use HSTS to ensure browsers interact with BoardSpot only over HTTPS. Browsers which are no longer supported by their publishers, including Internet Explorer, are denied access to BoardSpot. All modern browsers on all major platforms are fully supported.
Note: The Essentials and Standard plans are hosted in the United States on AWS servers. Enterprise accounts can be hosted in any AWS region, including Australia.
Security Measures:
Multi-Factor Authentication
Every user has the option to enable Multi-Factor Authentication on their account, ensuring that even in the event that their password were somehow compromised, a bad actor would not be able to log into BoardSpot without also having access to that user's phone.
Password Security
Every user logs into BoardSpot with their own unique email and password combination. Passwords are salted with 64 bits of data, and encrypted with a SHA-512 encryption method. This means that passwords are a one-way process. We can only verify that the password a user enters matches the one stored in the database, and can never retrieve or recover passwords.
Encryption of data
All documents are encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.
Storage of Credit Card Information
All credit card and related sensitive information is managed by
Stripe. From Stripe's security documentation (1/1/2023):
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.
Vulnerability disclosure
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.
_
Infrastructure Security:
Web Application Firewall (WAF)
Our Web Application Firewall helps protect BoardSpot by filtering and monitoring HTTP traffic between the web application and the internet. It actively monitors traffic, and protects against several types of attacks, including cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection. The WAF in place is a Layer 7 defence (the top layer in the seven-layer OSI model, covering the application layer). The WAF sits in-between our servers and the internet, and is managed by CloudFlare. The WAF acts as a shield against a whole host of attacks. The firewall operates on a suite of rules that are optimized for the type of services that BoardSpot runs, and are updated from time to time
DDoS Attack Protection
BoardSpot leverages the vast, global network of our security partner, CloudFlare to protect against Distributed Denial of Service (DDoS) attacks. DDoS protection is implemented in several different layers. The first layer of protection is the HTTP DDoS attack protection, which operates at the Application Layer (Layer 7 in the OSI model). HTTP DDoS protection blocks distributed attacks using a set of rules that are constantly managed and updated by CloudFlare as new attack vectors are discovered. BoardSpot benefits from the 112 billion daily threats that CloudFlare blocks each day.
Immutable Architecture
BoardSpot's code is deployed to a read-only file system, ensuring that code cannot be added or updated without first going through the authorized code deployment channels. All code changes are secured and auditable. This neutralizes many of the most popular types of security vulnerabilities found on the internet.
Instant Infrastructure Updates
BoardSpot's infrastructure is updated on an ongoing basis to ensure that the underlying software and libraries remain current with all the latest versions.
HTTPS and HSTS for secure connections
Browser security is of critical importance to ensuring the overall security of BoardSpot, so we enforce a very strict set of requirements on which browsers are allowed to access both the public website and the portal itself. While all modern browsers are supported, this does mean that Internet Explorer, for example, is not allowed to access the website.
BoardSpot ensures that all traffic is encrypted over HTTPS with TLS version 1.2 at a minimum.
We regularly audit the details of our implementation, including:
the certificates we serve
the certificate authorities we use
and the ciphers we support
We use HSTS to ensure browsers interact with BoardSpot only over HTTPS. Browsers which are no longer supported by their publishers, including Internet Explorer, are denied access to BoardSpot. All modern browsers on all major platforms are fully supported.
Note: The Essentials and Standard plans are hosted in the United States on AWS servers. Enterprise accounts can be hosted in any AWS region, including Australia.
Updated on: 22/09/2023
Thank you!