Features Comparison Pricing FAQ Login / Sign Up Book a demo
Trust

Compliance

The certifications and regulatory frameworks BoardHasA.name aligns with. We aim to make procurement and security reviews short and answerable.

Effective January 1, 2026 This document is written in plain language. If anything is unclear, email legal@boardhasa.name.

SOC 2 Type II

BoardHasA.name maintains an annual SOC 2 Type II report covering the Security, Availability, and Confidentiality Trust Services Criteria. The report is issued by an independent AICPA-accredited auditor and is available to customers and prospects under NDA.

To request the latest report or the bridge letter between audits, email trust@boardhasa.name.

ISO 27001 alignment

Our information security management system is aligned with the ISO/IEC 27001:2022 control set. Formal certification is in progress and expected to complete within the calendar year. Our control mapping is available on request.

GDPR

BoardHasA.name acts as a data processor on behalf of customers (controllers) for personal data they upload to the service. We offer a Data Processing Addendum incorporating the European Commission's Standard Contractual Clauses (2021) for international transfers. EU-region data is hosted in Frankfurt, Germany.

  • Customer-controlled data export and deletion endpoints.
  • Records of processing activities maintained per Article 30.
  • Data Protection Impact Assessments available for sensitive deployments.
  • EU representative appointed under Article 27.

CCPA / CPRA

For California residents, we honor the rights to know, delete, correct, and opt out of "sale" or "sharing" — though we do not sell or share personal information in the senses defined by the CCPA. Verifiable consumer requests can be submitted to privacy@boardhasa.name.

HIPAA

Enterprise customers in healthcare can enter into a Business Associate Agreement (BAA) with us. A BAA-eligible environment is provisioned with appropriate technical and administrative safeguards aligned with the HIPAA Security Rule. Standard plans are not BAA-eligible.

PCI DSS

We do not store full payment card data. Card processing is performed by a Level 1 PCI-DSS certified payment processor. BoardHasA itself maintains PCI SAQ-A scope.

Data residency

Customers may choose to have their primary data stored in either the United States (us-east-1) or the European Union (eu-central-1) region. Once selected, primary data does not leave the chosen region. Operational metadata (account email, billing) is processed globally to deliver shared services like email delivery and support.

Subprocessors

We use a limited set of vetted subprocessors to operate the service. The current list is maintained at boardhasa.name/subprocessors. We provide at least 30 days' notice before adding or replacing a subprocessor; customers under a DPA may object during this window.

  • Cloud hosting — AWS (US), Google Cloud (EU)
  • Transactional email — Postmark
  • Error monitoring — Sentry (self-hosted, EU)
  • Customer support tooling — Plain
  • Payments — Stripe

Customer audits

Enterprise customers under an active DPA may request a once-per-year audit of our processing activities, subject to reasonable scoping, scheduling, and confidentiality protections. We will respond to standard security questionnaires (SIG, CAIQ, VSA) within 10 business days.

Changes

We update this page when our compliance posture changes. The effective date at the top reflects the most recent update. Material changes are notified to active customers by email.

Contact

For compliance, audit, or procurement requests:

Trust & Compliance Team
BoardHasA, Inc.
trust@boardhasa.name

Questions about this policy?

Our team is happy to walk through any of these terms with you — particularly for procurement or security reviews.

Contact us