Security Measures
Last Updated: February 4, 2026
This page describes the technical and organizational measures Board Box Inc ("Board Box," "we," "us") maintains to protect Customer Personal Data and the Service. These measures are designed to be appropriate to the risks and are reviewed and updated over time.
1. Organization and Governance
- Dedicated security and privacy contacts: security@boardbox.ai and privacy@boardbox.ai.
- Policies covering access control, acceptable use, incident response, vendor risk, and data retention.
- Employee background checks where permitted by law and confidentiality commitments for personnel with data access.
- Security and privacy training for personnel on hire and annually.
2. Access Management
- Role-based access control and least-privilege principles.
- Multi-factor authentication for production systems where available.
- Unique user accounts; access reviews performed periodically and upon role changes or offboarding events.
3. Data Protection
- Encryption in transit using TLS 1.2+.
- Encryption at rest using industry-standard encryption provided by our cloud providers.
- Logical separation of tenant data; least-privilege access to Customer Personal Data.
- Data retention and deletion practices aligned to business needs and legal requirements.
- We may transmit limited portions of Customer Personal Data (for example, user prompts and relevant document excerpts) to approved subprocessors to provide AI-assisted features, consistent with our DPA.
4. Application and Change Security
- Secure software development lifecycle practices, including code review and dependency management.
- Vulnerability management program with regular scanning and risk-based remediation.
- Change management for production deployments.
5. Infrastructure and Network Security
- Hardened cloud infrastructure with security groups, firewalls, and network segmentation where appropriate.
- Logging and monitoring of security-relevant events.
- Backup and recovery procedures, including periodic verification of restore processes.
6. Vendor and Subprocessor Management
- Written agreements with subprocessors, including data-protection terms no less protective than those in our DPA.
- Risk-based vendor reviews before onboarding and periodically thereafter.
- A current list of subprocessors is available upon request as described at /subprocessors. Customers may subscribe to subprocessor updates by emailing privacy@boardbox.ai with the subject line: "Subscribe to subprocessor updates."
- Where we use AI service providers as subprocessors, we provide only the data necessary to deliver AI-assisted features (for example, user prompts and relevant document excerpts) and contractually restrict subprocessors' use of that data.
7. Incident Response
- Documented plan for detecting, responding to, and recovering from security incidents.
- Customer notification without undue delay after becoming aware of a Security Incident, consistent with our DPA.
8. Business Continuity and Disaster Recovery
Plans and procedures intended to maintain or restore availability and access to Personal Data in a timely manner following an incident.
9. Customer Responsibilities
Customers are responsible for using the Service securely, including:
- Configuring and using access controls, user provisioning, and multi-factor authentication (where available).
- Maintaining the security of their own systems that interact with the Service.
- Promptly notifying us if they believe credentials are compromised or if they detect suspicious activity.
Contact
Security: security@boardbox.ai
Privacy: privacy@boardbox.ai