BoardFolio Security Protocols

Overview
 
At BoardFolio, we prioritize the security, privacy, and trust of our users above all else. Our Trust Center serves as a comprehensive resource to demonstrate our unwavering commitment to safeguarding your data and ensuring the reliability of our platform. Built on industry-leading standards and practices, BoardFolio employs robust security measures, transparent data policies, and proactive compliance protocols to empower our users with confidence. Whether you're a board member, administrator, or stakeholder, the BoardFolio Trust Center provides clear insights into how we protect your information, maintain operational excellence, and foster a secure environment for collaboration and governance.

TABLE OF CONTENTS

• What are the Security Protocols?
• What are the Certifications of the Boardfolio? 
• What are the Encryption Methods?
• What are the Access Controls? 
• How are data being handled?
  • Data Handling Practices
• Understanding Your User Rights with BoardFolio
• Where to Find Information on Your Rights
• How to Exercise Your Rights
• What are BoardFolio's Incident Response Plans?
• What is the regulatory compliance standard that Boardfolio follows? 

What are the Security Protocols?

BoardFolio employs robust security protocols to protect sensitive board materials and ensure secure collaboration. Key security features include:

• Proprietary Multi-Layered Advanced Encryption: All data, both in transit and at rest, is secured using industry-standard encryption to maintain confidentiality and integrity.
• ISO 27001:2013 Certified Data Centers: Hosted in highly secure, EU-based data centers adhering to the gold standard for information security, ensuring robust physical and digital protections.
• Customized Access Permissions: Granular role-based permissions allow administrators to control who can access specific data and documents, enhancing security by restricting unauthorized access.
• Centralized Secure Storage: Sensitive board information is stored in a single, secure platform, reducing risks associated with email, random servers, or unsecured cloud storage.
• Mobile and Cross-Platform Compatibility: Optimized for secure access across desktops, tablets, and smartphones, supporting major browsers (Chrome, Firefox, Safari, Microsoft Edge) to ensure safe access on the go. 

What are the Certifications of the Boardfolio? 

• The application is certified under ISO/IEC 27001:2013, ensuring a robust Information Security Management System (ISMS) that meets international standards for data security, and is GDPR compliant, demonstrating adherence to the European Union's regulations for protecting personal data privacy and security.
  

What are the Encryption Methods? 

• BoardFolio employs robust encryption methods to ensure the security of your data. Data transiting to and from our servers is encrypted using secure SSL/TLS-protected channels, safeguarding information during transfer. Additionally, all client data at rest is secured using the Transparent Data Encryption (TDE) mechanism, providing strong protection for stored data. 

What are the Access Controls? 

• BoardFolio employs robust encryption methods to ensure the security of your data. Data transiting to and from our servers is encrypted using secure SSL/TLS-protected channels, safeguarding information during transfer. Additionally, all client data at rest is secured using the Transparent Data Encryption (TDE) mechanism, providing strong protection for stored data. 

How are data being handled? 

At Boardfolio, we prioritize the secure and compliant handling of your data in accordance with our certifications and encryption standards. Below is a detailed explanation of how we manage data, drawing from our practices and the information provided in the Boardfolio Data Processing Addendum (DPA). For further details, you can refer to the link: Boardfolio DPA  

Data Handling Practices

1. Data Collection and Use:
   • We collect only the personal data necessary to provide our services, as outlined in our Privacy Notice. This includes data provided by clients during interactions with BoardFolio, such as through our platform or related services.
   • Personal data is used solely for the purposes specified in our agreements, including facilitating secure board and governance activities, and is processed in compliance with applicable data protection laws, including GDPR.
2. Data Security:
   • Encryption in Transit: Data transiting to and from BoardFolio servers is protected using secure SSL/TLS-protected channels, ensuring that information remains confidential and secure during transfer.
   • Encryption at Rest: All client data stored on our servers is secured using Transparent Data Encryption (TDE), which protects data against unauthorized access by encrypting it at the storage level.
3. Data Processing and Compliance:
   • As detailed in the BoardFolio DPA, we act as a data processor for personal data provided by our clients (data controllers). We process this data only in accordance with the client’s instructions and the terms of the DPA, ensuring compliance with GDPR and other relevant regulations.
   • Our ISO/IEC 27001:2013 certification underscores our commitment to maintaining a robust Information Security Management System (ISMS), which governs how we handle, store, and protect data to meet international security standards.
   • We ensure GDPR compliance by implementing appropriate technical and organizational measures to safeguard personal data, including regular audits and adherence to data protection principles.
4. Data Storage and Retention:
   • Data is stored securely on our servers, with access restricted to authorized personnel only. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law, as outlined in our Privacy Notice.
   • Upon termination of services or at a client’s request, we securely delete or anonymize personal data in accordance with our data retention policies, unless legally required to retain it.
5. Third-Party Data Sharing:
   • We do not share personal data with third parties unless explicitly authorized by the client or required by law. Any third-party service providers we engage (e.g., for hosting or support services) are bound by strict data processing agreements to ensure they meet the same security and compliance standards.
   • The DPA specifies that we notify clients of any sub-processors involved in data handling and ensure they comply with GDPR and other applicable regulations.
6. Data Subject Rights:
   • We support clients in fulfilling data subject requests, such as access, rectification, or deletion of personal data, as required under GDPR. Clients can raise such requests through our support channels, and we will assist in processing them promptly.
7. Incident Management:
   • In the unlikely event of a data breach, we have established procedures to promptly notify affected clients and relevant authorities, as required by GDPR. Our ISMS includes incident response plans to mitigate risks and ensure swift resolution.

Understanding Your User Rights with BoardFolio

As a user of BoardFolio, you have specific rights regarding your personal data, as outlined in the Vistra Group Privacy Notice, which applies to BoardFolio services. These rights, aligned with GDPR and other data protection regulations, include:

• Right to Access: You can request access to the personal data we hold about you.
• Right to Rectification: You can ask us to correct any inaccurate or incomplete data.
• Right to Erasure: You may request the deletion of your personal data under certain conditions.
• Right to Restrict Processing: You can request limitations on how we process your data.
• Right to Object: You can object to certain types of data processing, such as for marketing purposes.
• Right to Data Portability: You can request a copy of your data in a structured, commonly used, and machine-readable format.

These rights ensure you have control over your personal information and how it is used.

Where to Find Information on Your Rights

To learn more about your user rights, refer to the following key resources:

1. Vistra Group Privacy Notice
   The Privacy Notice provides a comprehensive overview of how Vistra, including BoardFolio, collects, uses, protects, and discloses personal data. It details your rights and how we comply with data protection laws. You can access it at:
   www.vistra.com/en/privacy-notice.
   The latest version, effective June 30, 2024, is available for download on the Vistra website.

2. Boardfolio Data Processing Addendum (DPA)
   The DPA outlines how Boardfolio, as a data processor, handles personal data on behalf of clients (data controllers). It confirms our commitment to supporting data subject rights, such as access, rectification, or deletion, in compliance with GDPR. You can view the DPA at:
   Boardfolio DPA.
   
   

How to Exercise Your Rights

To exercise your data protection rights or request further details:

• Contact Our Support Team: Submit a ticket through BoardFolio’s support portal at boardfolio.vistra.com. Our team will assist with requests related to accessing, correcting, or deleting your data.
• Review the Privacy Notice: Visit the Vistra Privacy Notice for a detailed explanation of your rights and the process for submitting requests.
• Refer to the DPA: For specifics on how we handle data subject requests, consult the BoardFolio DPA linked above.

What are BoardFolio's Incident Response Plans?

At BoardFolio, we prioritize the security and continuity of our services. Our comprehensive Incident Response and Data Breach Management Plans, including our Disaster Recovery (DR) Plan, are designed to minimize disruptions and protect your data in the event of an incident. Below, we outline our approach, including key metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO), as part of our Trust Center’s commitment to transparency and reliability.

Incident Response Plan

Boardfolio has established a robust Incident Response Plan to address potential security incidents, including data breaches, promptly and effectively. Key components include:

• Identification and Containment: We quickly identify and isolate any security incidents to prevent further impact. Our systems are monitored continuously to detect anomalies or unauthorized access.
• Notification: In the event of a data breach, we adhere to GDPR requirements by promptly notifying affected clients and relevant authorities, typically within 72 hours, as outlined in the Boardfolio Data Processing Addendum (DPA) (Boardfolio DPA).
• Mitigation and Resolution: Our team implements immediate measures to mitigate risks, such as patching vulnerabilities or restoring affected systems. We conduct thorough investigations to determine the cause and prevent recurrence.
• Communication: We keep clients informed throughout the process, providing clear updates on the incident and our response actions.

Our Incident Response Plan is aligned with our ISO/IEC 27001:2013 certification, ensuring that our processes meet international standards for information security management.

Disaster Recovery (DR) Plan

Boardfolio’s DR Plan is designed to ensure rapid recovery and continuity of services following a failure or disaster. Key metrics and components include:

• Recovery Time Objective (RTO): The maximum tolerable length of time that our systems, networks, or applications can be down after a failure or disaster. Boardfolio’s RTO is 24 hours, ensuring that critical services are restored within one day to minimize disruption.
• Recovery Point Objective (RPO): The maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as the amount of time between the last backup and the incident. While the specific RPO for Boardfolio is not detailed in the provided information, our DR Plan ensures frequent backups and secure data storage using Transparent Data Encryption (TDE) to minimize data loss. We align with industry best practices to keep data loss to a minimum.
• Backup and Restoration: Data is securely backed up in EU-based data centers certified under ISO/IEC 27001:2013. In the event of a disaster, we restore systems and data from these backups to ensure operational continuity.
• Redundancy: Our infrastructure incorporates redundancy measures to maintain service availability, even during significant disruptions.

Data Protection Measures

To support our Incident Response and DR Plans, Boardfolio employs robust security measures:

• Encryption: Data in transit is protected using SSL/TLS-protected channels, and data at rest is secured with Transparent Data Encryption (TDE).
• Access Controls: Strict access controls limit data access to authorized personnel only, reducing the risk of unauthorized exposure.
• Compliance: Our plans align with GDPR and ISO/IEC 27001:2013 standards, ensuring regulatory compliance and robust security practices.

Our Commitment to Resilience

Boardfolio’s Incident Response and DR Plans are designed to protect your data and ensure service continuity, even in challenging circumstances. By maintaining an RTO of 24 hours and aligning with industry standards, we strive to provide a reliable and secure platform for our users.

What is the regulatory compliance standard that Boardfolio follows? 

At Boardfolio, we are committed to maintaining the highest standards of data protection and privacy. Our platform adheres to key regulatory and industry standards to ensure your data is secure and handled responsibly. Below is an overview of the regulatory compliance frameworks and best practices we follow, as part of our Trust Center commitment to transparency and security.

Key Compliance Standards

1. ISO/IEC 27001:2013 Certification
   Boardfolio is hosted in EU-based data centers certified under ISO/IEC 27001:2013, the globally recognized standard for Information Security Management Systems (ISMS). This certification ensures that we implement robust controls to protect data confidentiality, integrity, and availability, providing a secure environment for your sensitive information.
   
   
2. GDPR Compliance
   Operating within the European Union, Boardfolio fully aligns with the General Data Protection Regulation (GDPR). This regulation governs the processing of personal data, ensuring that user privacy rights—such as access, rectification, erasure, and data portability—are upheld. Our practices, as outlined in the Vistra Group Privacy Notice (www.vistra.com/en/privacy-notice) and Boardfolio Data Processing Addendum (DPA) (Boardfolio DPA), reflect our commitment to GDPR compliance.
   
   

Industry Best Practices
Boardfolio incorporates proprietary multi-layered advanced encryption and secure access controls to protect sensitive corporate information. Data transiting to and from our servers is encrypted using secure SSL/TLS-protected channels, while data at rest is secured with Transparent Data Encryption (TDE). These measures align with industry standards for safeguarding critical data, ensuring robust protection against unauthorized access.

We’re committed to maintaining your trust through transparency and robust security practices. If you have any questions or need further assistance, please raise a ticket, and our support team will respond as soon as possible.