Articles on: General Information

Security

BoardSpot is trusted by thousands of users from around the world, and we don't take that trust lightly. The security of our customers' data is of paramount importance to us. BoardSpot maintains the highest of security practices throughout the entire technology stack and all of our business practices.

Multi-Factor Authentication


Every user has the option to enable Multi-Factor Authentication on their account, ensuring that even in the event that their password were somehow compromised, a bad actor would not be able to log into BoardSpot without also having access to that user's phone.

Password Security


Every user logs into BoardSpot with their own unique email and password combination. Passwords are salted with 64 bits of data, and encrypted with a SHA-512 encryption method. This means that passwords are a one-way process. We can only verify that the password a user enters matches the one stored in the database, and can never retrieve or recover passwords.

HTTPS and HSTS for secure connections


Browser security is of critical importance to ensuring the overall security of BoardSpot, so we enforce a very strict set of requirements on which browsers are allowed to access both the public website and the portal itself. While all modern browsers are supported, this does mean that Internet Explorer, for example, is not allowed to access the website.

BoardSpot ensures that all traffic is encrypted over HTTPS with TLS version 1.2 at a minimum.

We regularly audit the details of our implementation, including:
the certificates we serve
the certificate authorities we use
and the ciphers we support

We use HSTS to ensure browsers interact with BoardSpot only over HTTPS. Browsers which are no longer supported by their publishers, including Internet Explorer, are denied access to BoardSpot. All modern browsers on all major platforms are fully supported.

Encryption of data


All documents are encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.

Storage of Credit Card Information


All credit card and related sensitive information is managed by
Stripe. From Stripe's security documentation (1/1/2023):

All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.

Vulnerability disclosure


Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.

Updated on: 23/01/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!