LEGAL

LEGAL

LEGAL

Security Measures (Technical and Organizational Measures)

Update Date:

September 18, 2025

This page describes the technical and organizational measures Board Box Inc maintains to protect Customer Personal Data and the Service. These measures are designed to be appropriate to the risks and are reviewed and updated over time.


1. Organization and governance

  • Dedicated security and privacy contacts: security@boardbox.ai and privacy@boardbox.ai.

  • Policies covering access control, acceptable use, incident response, vendor risk, and data retention.

  • Employee background checks where permitted by law and confidentiality commitments for personnel with data access.

  • Security and privacy training for personnel on hire and annually.


2. Access management

  • Role-based access control and least-privilege principles.

  • Multi-factor authentication for production systems where available.

  • Unique user accounts; access reviews at least quarterly.


3. Data protection

  • Encryption in transit using TLS 1.2+.

  • Encryption at rest using industry-standard encryption provided by our cloud providers.

  • Logical separation of tenant data; least-privilege access to Customer Personal Data.

  • Data retention and deletion practices aligned to business needs and legal requirements.


4. Application and change security

  • Secure software development lifecycle practices, including code review and dependency management.

  • Vulnerability management program with regular scanning and risk-based remediation.

  • Change management for production deployments.


5. Infrastructure and network security

  • Hardened cloud infrastructure with security groups, firewalls, and network segmentation where appropriate.

  • Logging and monitoring of security-relevant events.

  • Backup and recovery procedures with periodic tests.


6. Vendor and subprocessor management

  • Written agreements with subprocessors, including data-protection terms no less protective than those in our DPA.

  • Risk-based vendor reviews before onboarding and periodically thereafter.

  • List of current subprocessors published at /legal/subprocessors.


7. Incident response

  • Documented plan for detecting, responding to, and recovering from security incidents.

  • Customer notification without undue delay after becoming aware of a Security Incident, consistent with our DPA.


8. Business continuity and disaster recovery

  • Plans and procedures intended to maintain or restore availability and access to Personal Data in a timely manner following an incident.


9. Customer responsibilities

  • Configure and use the Service securely (for example, access controls, user provisioning, and MFA).

  • Maintain the security of your own systems that interact with the Service.

  • Promptly notify us if you believe credentials are compromised or if you detect suspicious activity.