Security

Keeping your data safe is our top priority at BoardClic and essential to our DNA. Security is a moving target and our protocols are enforced by a dedicated team and continuous product development.

Security & Privacy-First Mindset

Security and privacy are key areas for BoardClic at all times. BoardClic has an Information Security Policy, a Statement of Applicability and a Risk Assessment & Treatment plan in place. They are revisited on a regular basis.

BoardClic works with security and privacy from three perspectives:

  1. Technical – keeping the platform safe from external attacks and data leaks
  2. Organisational – training employees to work in a secure and privacy preserving manner
  3. Environmental – having a secure office without unauthorised visitors

In addition the the above, BoardClic uses an external attack surface management solution on a weekly basis and so far no vulnerabilities have been found.

Two-Factor Authentication

We know that you’ve entrusted us with critical data and only authorised employees at BoardClic have access to the production infrastructure. All key information is protected by two-step authentication.

We adhere to GDPR and keep your data stored and protected in compliance with all applicable legislations. And yes, it’s all stored in Europe.

All data is anonymised and available only to users with documented access. Two-factor authentication is available to all users as an extra layer of protection and we highly recommend that you use it.

Our Approach

BoardClic has one approach to information security risk management for all information assets, which are the following:

  • Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes
  • Integrity: safeguarding the accuracy and completeness of information assets
  • Availability: being accessible and usable upon demand by an authorised entity Risk

Assessment
BoardClic has a regular process for systematically assessing information security risks in accordance with BoardClic’s Risk Methodology.

Risk Treatment Plan
In addition the above BoardClic has a risk treatment plan in place that includes but is not limited to how the risks integrate into the wider information security management system (such as the Statement of Applicability) and how actions are taken, and evaluating the effectiveness of the actions taken on the way.

Technical Security Details

  • MFA in enabled for all BoardClic employees to access the application. MFA is implemented by using a third-party library ROTP (Ruby One Time Password) that is generating and validating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238.
  • Server platforms are certified with ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate, Sarbanes-Oxley (SOX)
  • Production DB has encryption at rest with AES-256, block-level storage encryption.
  • 1Password is used by all BoardClic employees, that is always end-to-end encrypted and is kept safe by AES-GCM-256 authenticated encryption.
  • BoardClic leverages the Devise library which uses OpenBSD bcrypt() password hashing algorithm to easily generate and store a secure hash