A summary of the technical and organizational measures we use to protect customer data. For a copy of our SOC 2 report or a security questionnaire, contact our team.
Security is a primary design constraint, not a checkbox. Our engineering, infrastructure, and operations practices are aligned to widely-recognized standards including SOC 2 Type II, ISO 27001 controls, and the CIS Critical Security Controls.
This page summarizes our program. Customers under NDA can request our full security documentation package including the latest SOC 2 report, penetration test summaries, and DPA.
BoardHasA.name runs on enterprise cloud providers (AWS in the US, GCP in the EU) inside isolated virtual private networks. Production workloads are segmented from corporate and development environments at the account, network, and credential level.
In transit: all traffic is encrypted with TLS 1.2 or higher using strong cipher suites. Internal service-to-service traffic uses mutual TLS.
At rest: all customer data, file uploads, and backups are encrypted with AES-256. Encryption keys are managed by the cloud provider's KMS with automatic rotation. Enterprise customers can request customer-managed keys (BYOK).
Passwords are hashed with bcrypt at a cost factor reviewed annually. API tokens are stored only as one-way hashes.
Customer data access is restricted to a small group of authorized personnel and is granted on a strict least-privilege basis. Every access requires multi-factor authentication on hardware tokens, is logged, and is subject to quarterly review.
We continuously monitor production for security and availability anomalies. Logs are centralized, immutable, and retained for at least 12 months. Automated alerts route to an on-call security engineer 24/7.
We maintain a documented incident response plan reviewed twice a year and exercised through tabletop and live drills. In the event of a confirmed security incident affecting customer data, impacted customers are notified within 72 hours per applicable law and in many cases sooner.
Post-incident, we publish a written root cause analysis and corrective action plan to affected customers.
All code changes go through peer review, automated static analysis, dependency vulnerability scanning, and CI testing before merge. Production deploys require a second approver. We follow OWASP best practices for application security and maintain a public security.txt with disclosure guidance.
Customer data is backed up continuously with point-in-time recovery up to 30 days. Backups are encrypted, replicated across regions, and tested via periodic restore drills. Our published recovery objectives are:
The service is engineered for 99.95% monthly uptime. Real-time status is published at status.boardhasa.name.
All employees and contractors with access to production systems sign confidentiality agreements, complete background checks where permitted by law, undergo security training on hire and annually thereafter, and use company-managed devices with full-disk encryption and EDR.
Security researchers are welcome. We operate a coordinated disclosure program — please report suspected vulnerabilities to security@boardhasa.name with reproduction steps. We confirm receipt within one business day and aim to triage within five.
We don't pursue legal action against good-faith researchers who follow our disclosure guidelines.
For security questionnaires, audit reports, or DPA requests:
Security Team
BoardHasA, Inc.
security@boardhasa.name
Our team is happy to walk through any of these terms with you — particularly for procurement or security reviews.