Security
BoardSpot is trusted by thousands of users from around the world, and we don't take that trust lightly. The security of our customers' data is of paramount importance to us. BoardSpot maintains the highest of security practices throughout the entire technology stack and all of our business practices.
Every user has the option to enable Multi-Factor Authentication on their account, ensuring that even in the event that their password were somehow compromised, a bad actor would not be able to log into BoardSpot without also having access to that user's phone.
Every user logs into BoardSpot with their own unique email and password combination. Passwords are salted with 64 bits of data, and encrypted with a SHA-512 encryption method. This means that passwords are a one-way process. We can only verify that the password a user enters matches the one stored in the database, and can never retrieve or recover passwords.
Browser security is of critical importance to ensuring the overall security of BoardSpot, so we enforce a very strict set of requirements on which browsers are allowed to access both the public website and the portal itself. While all modern browsers are supported, this does mean that Internet Explorer, for example, is not allowed to access the website.
BoardSpot ensures that all traffic is encrypted over HTTPS with TLS version 1.2 at a minimum.
We regularly audit the details of our implementation, including:
the certificates we serve
the certificate authorities we use
and the ciphers we support
We use HSTS to ensure browsers interact with BoardSpot only over HTTPS. Browsers which are no longer supported by their publishers, including Internet Explorer, are denied access to BoardSpot. All modern browsers on all major platforms are fully supported.
All documents are encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.
All credit card and related sensitive information is managed by
Stripe. From Stripe's security documentation (1/1/2023):
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.
Multi-Factor Authentication
Every user has the option to enable Multi-Factor Authentication on their account, ensuring that even in the event that their password were somehow compromised, a bad actor would not be able to log into BoardSpot without also having access to that user's phone.
Password Security
Every user logs into BoardSpot with their own unique email and password combination. Passwords are salted with 64 bits of data, and encrypted with a SHA-512 encryption method. This means that passwords are a one-way process. We can only verify that the password a user enters matches the one stored in the database, and can never retrieve or recover passwords.
HTTPS and HSTS for secure connections
Browser security is of critical importance to ensuring the overall security of BoardSpot, so we enforce a very strict set of requirements on which browsers are allowed to access both the public website and the portal itself. While all modern browsers are supported, this does mean that Internet Explorer, for example, is not allowed to access the website.
BoardSpot ensures that all traffic is encrypted over HTTPS with TLS version 1.2 at a minimum.
We regularly audit the details of our implementation, including:
the certificates we serve
the certificate authorities we use
and the ciphers we support
We use HSTS to ensure browsers interact with BoardSpot only over HTTPS. Browsers which are no longer supported by their publishers, including Internet Explorer, are denied access to BoardSpot. All modern browsers on all major platforms are fully supported.
Encryption of data
All documents are encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.
Storage of Credit Card Information
All credit card and related sensitive information is managed by
Stripe. From Stripe's security documentation (1/1/2023):
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.
Vulnerability disclosure
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.
Updated on: 23/01/2023
Thank you!