Security

Your data is safe

Keeping your data safe is our top priority at BoardClic and essential to our DNA. Security is a moving target and while our protocols are enforced by a dedicated team and continuous product development, we always appreciate your input and feedback.

Two-step authentication

We know that you’ve entrusted us with critical data and only authorised employees at BoardClic have access to the production infrastructure. All key information is protected by two-step authentication.

We adhere to GDPR and keep your data stored and protected in compliance with all applicable legislations. And yes, it’s all stored in Europe.

All data is anonymised and available only to users with documented access. Two-factor authentication is available to all users as an extra layer of protection and we highly recommend that you use it.

Our Infrastructure

Our infrastructure is based on a secure cloud services platform that has been accredited under ISO 27001, 27017, 27018, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, PCI-DSS, FISMA Moderate, Sarbanes-Oxley (SOX).

On top of the infrastructure, we’ve built extra layers to ensure the applications and data are protected and always accessible. Access is tightly controlled and monitored. Apart from security controls, we have data redundancy with daily backups, that we retain for 30 days.

We apply secure coding practices the code undergoes frequent third-party security assessment. Our service is always covered against the Open Web Application Security Project Top 10 (Most Critical Web Application Security Risks). 

Need more-detailed information?

Read our security whitepage below. (Click to open) 

BoardClic Security Whitepaper

Security defaults

We leverage Heroku’s application security settings.

General information about Heroku’s security and privacy policies is available here:

https://devcenter.heroku.com/articles/security-privacy-compliance

All dynos (containers) are located in the EU.

Heroku Platform Access Managements

Role-based access for developers. The lead developer and CPO have administration access, others – member access. 2-factor authentication is obligatory for all level users with access to Boardclic’s Heroku platform.

GitHub Access Management

Role-based access for developers. The lead developer and CPO have owner access, others – member access.

Two-factor authentication is required for everyone at BoardClic.

Dependabot alerts are enabled. Alerting about a new vulnerability found in one of app dependencies.

BoardClic app Access Management

BoardClic’s administrative app privileges allows access to user personal data and evaluation result reports.

Administrative privileges are only given to employees who need them to do their work.

MFA is obligatory for all BoardClic employees with administrator privileges.

SSL

Transport security via TLS/SSL and Automated Certificate Management is enabled in Heroku.

Database

Production database has encryption at rest with AES-256, block-level storage encryption.

Staging and hotfix environment databases are obfuscated and do not include any personal data, real organization names or open-ended comments (replaced with default text).

The obfuscated database is used for data analyses performed by BoardClic.

The obfuscated database for analyses is stored in an isolated form production database dyno.

Database obfuscation

Obfuscation script is executed on Heroku platform and data does not leave Heroku environment.

The obfuscation script masks the following data:

  • Organisation name
  • Org. address
  • Org. website
  • Org. email
  • Org. contact number
  • User first and last name
  • User email
  • Open-ended comments

Backups

Automated daily backups with retiring period 7 days and weekly backups with retiring period 4 weeks.

Heroku Continuous Protection & Postgres Rollbacks up to 4 days.

DB backup is run manually before each release with retiring period 4 weeks.

Content Security Policy allows the following external services/libraries:

  • Google Analytics
  • Google Tag Manager
  • Hotjar
  • Mixpanel
  • Intercom
  • Google font

The purpose of service/libraries and applied places is available in our Privacy Policy.

Email Service

We use Amazon Simple Email Service.

Transport Layer Security (TLS) is activated.

MFA is also active for all users having Amason account access. We use Google Authenticator.

 

Other

CSRF/XSRF protection.

XSSI protection.

Vulnerability scans are done on a weekly basis by Detectify.

 

Need to report an incident?

Have you noticed misuse or experienced an incident with the application or your account? Please fill out the form below.