Trust & Security

A board portal holds some of an organization’s most sensitive material. Here’s exactly how BoardDock protects it — no hand-waving, no fine print.

Encryption everywhere

All traffic is encrypted in transit with TLS, and your data is encrypted at rest. There is no unencrypted path to your board's materials.

Access enforced at the database

Every table is protected by row-level security — the database itself refuses to return another organization's rows. Isolation between boards isn't a UI feature; it's enforced at the lowest layer.

Confidentiality tiers

Meetings, documents, and motions carry visibility tiers — public, board, committee, in camera (executive session), and restricted — checked on every read, so sensitive material is only ever seen by the people entitled to see it.

Role-based access

Owners, admins, officers, directors, staff liaisons, and viewers each get exactly the capabilities their role needs. Administrative actions require administrative roles, verified server-side.

Append-only audit trail

Key governance actions are recorded in an audit log that can't be edited or deleted from the application — a permanent record of who did what, when.

Payments by Stripe

Billing runs entirely on Stripe, a certified PCI Level 1 service provider. Card numbers never touch BoardDock's servers or database.

Resilient infrastructure

BoardDock runs on Vercel and Supabase with automated backups. Our infrastructure providers — AWS, Vercel, Supabase, and Stripe — maintain industry certifications including SOC 2 and ISO 27001.

Privacy-first hosting in Canada

Your data is hosted in Canada (AWS Canada Central via Supabase, with compute in Montréal) under PIPEDA — one of the world's strongest privacy regimes, recognized as adequate by the European Union. The same protections apply to every board, wherever it's based.

Who we rely on

BoardDock uses a small, carefully chosen set of subprocessors. Each one sees only what it needs to do its job.

ProviderPurposeRegion
Supabase (AWS)Database, authentication, file storageCanada Central
VercelApplication hostingMontréal, Canada
StripePayments & billingGlobal (PCI Level 1)
MailerooTransactional emailGlobal

Security questions

Where is our data stored?
In the AWS Canada Central region, encrypted at rest, with access enforced at the database level. For most boards there's no requirement that nonprofit records be stored in your own country, and our hosting is covered by PIPEDA — a comprehensive privacy law recognized as adequate by the European Union. Wherever your board is based, your data is encrypted, access-controlled, and protected by robust privacy safeguards.
Can BoardDock staff read our board materials?
Operational access is limited to a small, explicitly allowlisted set of operators, used only for support and required maintenance — and administrative actions on our side are logged. We never sell or mine your data, and we never use your board's content for advertising or training.
Who can see our in-camera (executive session) materials?
Only the board members and administrators explicitly entitled to them. The in-camera and restricted tiers are enforced by the database on every query — not just hidden in the interface.
What happens to our data if we cancel?
Your workspace data remains yours. Export what you need (board packages and minutes export to PDF), and contact us to have your organization's data deleted — we'll confirm when it's done.
How do we report a security concern?
Contact us immediately through the contact page and mark it as a security issue. We take reports seriously, respond quickly, and appreciate responsible disclosure.

Have a security or privacy question we haven’t answered? Ask us directly — we’ll give you a straight answer.