Security

How BoardFluent protects your data

BoardFluent is operated by Gulf Holdings LLC. Founders use it to prepare and share board and investor materials, so data protection is built into the product, not bolted on. Below is a plain-language overview of the controls in place today.

Row-level data isolation

Every application table enforces row-level security. Your scenarios, board books, and connected metrics are queryable only by your account and the teammates you invite, isolation is enforced in the database, not just the app layer.

Encrypted in transit and at rest

All traffic is served over TLS, and your data is encrypted at rest in our managed Postgres database. You never have to choose a less-secure transport.

Credentials are hashed, never stored in plaintext

API keys and board-book magic-link tokens are stored only as SHA-256 hashes. The plaintext value is shown to you once at creation and is never recoverable by us, if it leaks, you revoke and regenerate.

Payments handled by Stripe

Card details are captured directly by Stripe and never touch our servers. We store only subscription status and lifecycle events, confirmed through signed Stripe webhooks. Stripe operates at PCI DSS Level 1.

Read, only Stripe data sync

When you connect Stripe to sync billing metrics, we request read, only OAuth scope only. We can read revenue and churn data, never move money. The connection's access tokens are encrypted in a dedicated secrets vault, never logged, never returned in API responses, and never sent to analytics.

Optional multi-factor authentication

Add authenticator-app (TOTP) MFA from your Security Center so a stolen password alone cannot take over your account or change high-trust workflows like sending board books or creating API keys.

Confidential board-book delivery

Board book viewer links are issued per recipient and can be revoked at any time. Every PDF page carries the recipient email plus a forensic hash embedded in the document metadata, so a leaked copy can be traced back to the source recipient. Each view is recorded in a per-recipient audit log, and recipient links are origin-restricted and revocable.

Imported financial data & benchmarks

Imported financial data (CSV uploads, plus authorized Stripe sync) is scoped to the operator who authorized it and is never shared across accounts. Cohort benchmarks are computed only on opted-in, anonymized inputs, see the Privacy Policy for details. Embed tokens are origin-restricted and revocable, so you control which sites may embed your calculators.

Infrastructure & subprocessors

BoardFluent is built on established cloud platforms, ultimately running on Amazon Web Services (AWS) data centers, and inherits their physical, network, and platform security controls. AWS facilities are independently audited against SOC 1/2/3, ISO 27001, and PCI DSS, and each provider below publishes its own security attestations on its trust pages. Our current subprocessors:

Amazon Web Services (AWS)

Underlying cloud data centers (US regions). Our database and application hosts run on AWS, whose facilities maintain SOC 1/2/3, ISO 27001, and PCI DSS certifications.

Supabase

Database, authentication, and storage, runs on AWS infrastructure

Vercel

Application hosting and compute, runs on AWS infrastructure

Stripe

Payment processing and read, only Connect data sync (PCI DSS Level 1)

Postmark

Transactional and board-book delivery email

PostHog

Product analytics

Sentry

Error monitoring and performance diagnostics

Service keys and other secrets run server-side only and are never exposed to the browser. Enterprise customers can request the current subprocessor list or a signed Data Processing Addendum, see the DPA.

Responsible disclosure

Found a vulnerability? Report it to security@boardfluent.com with enough detail to reproduce the issue. We review every report and will not pursue action against good-faith research that respects user privacy and avoids service disruption.

Related policies

See the Privacy Policy, Data Processing Addendum, and Acceptable Use Policy for how we collect, process, and retain data.