🔒 Security
Security at I'mBoard
We protect board data with modern, practical controls: TLS encryption, encrypted storage, least-privilege access, signed file links, audit trails, and hardened app defaults.
At a glance
What we do today
TLS for all connections in transit; encrypted storage for DB and files at rest.
Private by default, role-based permissions, least-privilege IAM for infrastructure.
Time-limited, signed S3 URLs for file access; no public links in production.
Board-pack version history and key actions are logged for traceability.
CSP with script hashes, Helmet security headers, input validation/sanitization.
A separate, read-only seeded workspace—no customer data in the demo.
📊 Data Protection
Encryption & data handling
Specific controls that protect board documents, metrics, and discussions
TLS in transit
All app, API, and DB connections use HTTPS/TLS. HSTS and modern ciphers are preferred.
Encrypted storage
Database encryption via managed provider; file storage on AWS S3 with KMS server-side encryption.
Keys & secrets
Secrets managed via cloud services; never stored in code or repos.
Signed access
Time-boxed, signed URLs for file delivery; access is revoked when links expire.
Data ownership
It’s your data—export on demand; deletion on request per retention policy.
No public links
Production forbids open/public sharing endpoints to reduce exposure.
Account security
Authentication, authorization, and session controls
Passwordless sign-in
Email verification codes issue short-lived JWTs (single-factor today).
MFA & SSO (roadmap)
TOTP/WebAuthn MFA and Google/Microsoft/OIDC SSO are on the roadmap.
Roles & permissions
Private by default. Directors, observers, counsel, and executives receive only necessary access.
Session management
Token refresh with inactivity timeouts; sessions invalidated on credential reset.
🧩 Application Security
Secure by default
Hardening in the app and development workflow
Hardened headers & CSP
Helmet security headers and Content Security Policy with script hashes to reduce XSS risk.
Validation & sanitization
Strong input validation (Zod) and sanitization throughout the app.
Abuse controls
Rate-limiting and sensible defaults to deter automated abuse.
Audit trails
Key actions and board-pack versions are recorded for review and compliance needs.
Testing
Jest unit tests and Playwright end-to-end tests on CI/CD.
Solo build, smaller surface
Engineered by a solo founder; no external contractors, minimizing access vectors.
🌍 Infrastructure
Reliable cloud providers
Built on trusted platforms
Managed infrastructure reduces patch and ops risk while preserving speed. Logs are collected (Winston) and deployments run through CI/CD.Heroku (Salesforce)
App hosting at app.imboard.ai on Heroku managed infrastructure.
MongoDB Atlas
Managed database with encryption and operational safeguards.
AWS S3
Encrypted file storage (KMS) with signed URL delivery.
SendGrid
Transactional email delivery for authentication and notifications.
🤖 AI/ML Data Handling
Structured first; AI-ready by design
Structured reporting
Forms create clean JSON schemas. Dashboards render from structured data—not arbitrary PDFs.
LLMs for assistive tasks
OpenAI GPT-4o for classification/summarization; prompts grounded in your structured data.
Search & OCR
Embeddings via OpenAI (text-embedding-3) and Atlas Vector Search; OCR via Mistral Document AI.
Isolation
Demo workspace is separate and seeded; no customer data is used for training.
Governance & roadmap
Clear responsibilities and what’s next
App & infrastructure security, encryption, access control, logging, and incident response.
Manage who you invite; follow strong identity practices; classify what you share.
Report issues to security@imboard.ai. We acknowledge quickly and keep you informed.
MFA (TOTP/WebAuthn), SSO (Google/Microsoft/OIDC), and a formal SOC 2 program. Timeline will be published once dates are locked.
Vendors & sub-processors
We use reputable infrastructure and operational providers
Heroku (Salesforce)
Application hosting
MongoDB Atlas
Managed database & vector search
AWS S3
Encrypted object storage
SendGrid
Transactional email
OpenAI
LLM inference (assistive features)
Mistral (Document AI)
OCR for PDFs/slides
Version 2.0 · Last updated: October 2025
Questions or questionnaires? security@imboard.ai · Privacy requests: privacy@imboard.ai
Ready to see it in action?
Explore the Live Demo (no signup) or start free with up to 3 users per board.