Security

Last updated: 5 June 2026 · Security or privacy questions? hello@boardtable.com.au

Board governance involves some of the most sensitive information your organisation handles — financial data, conflict of interest declarations, strategic plans, and confidential minutes. We take that responsibility seriously. Here is how BoardTable protects your data.

🏢

Australian Hosting

All data stored in Azure Australia East (Sydney). Your data never leaves Australia.

🔒

AES-256 Encryption

Data at rest encrypted with AES-256. All traffic encrypted with TLS 1.2+.

🛡️

Role-Based Access

Strict permission controls ensure users only see what they're authorised to see.

📋

Audit Logs

Every login, data access, and document download is logged and retained for 12 months.

Your Data Belongs to You

You own your data. Everything your organisation puts into BoardTable — meeting papers, minutes, registers, declarations, uploaded documents and governance records — remains the property of your organisation at all times. BoardTable is the custodian of that data, not the owner. We do not claim any ownership rights over your content.

We will never sell your data, share it with third parties for marketing, or use it to train AI models. Your data is used only to provide the BoardTable service to you.

You can export your data at any time in standard formats, and you may request complete deletion of your organisation's data when you close your account. On termination, we permanently delete your data from active systems within 30 days, and from encrypted backups within 90 days as backup cycles roll over.

Infrastructure and Hosting

BoardTable is hosted exclusively on Microsoft Azure Australia East (Sydney data centre). We do not use offshore servers. Microsoft Azure is independently accredited against ISO/IEC 27001 (information security management), ISO/IEC 27017 (cloud security), ISO/IEC 27018 (protection of personal data in the cloud), SOC 1, SOC 2 Type II and SOC 3, and PCI DSS, and is assessed under the Australian Government's IRAP framework. All data — including meeting documents, uploaded files, and governance records — resides in Australia and never leaves the country.

Our infrastructure uses isolated virtual networks, private endpoints for database access, and automated vulnerability scanning on all dependencies.

Encryption

At rest: All stored data is encrypted using AES-256 bit encryption at the storage layer. Database backups are encrypted with the same standard.

In transit: All connections to BoardTable use TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS headers to prevent protocol downgrade attacks. Older TLS versions and weak cipher suites are disabled.

Passwords: User passwords are never stored in plaintext. We use bcrypt with a work factor of 10, which makes brute-force attacks computationally infeasible.

Access Controls

BoardTable uses a role-based access control model:

Administrators manage the organisation's account, users, and all governance records.
Directors access meeting materials, submit conflict of interest declarations, and view documents they have been given permission to see.

Each API request is authenticated with a signed JWT token with a 24-hour expiry. Tokens are issued only after successful credential verification and are not stored server-side (stateless authentication).

Two-Factor Authentication (2FA)

BoardTable supports time-based one-time password (TOTP) two-factor authentication for all user accounts, compatible with apps such as Google Authenticator and Authy. Administrators can require 2FA for all users in their organisation. We strongly recommend enabling 2FA for all board members.

Audit Logging

Comprehensive audit logs record all significant events including user logins and failed login attempts, document access and downloads, changes to meeting records and governance data, user creation and role changes, and administrative actions. Logs are retained for 12 months and are available to administrators on request.

Penetration Testing

BoardTable engages an independent security firm to conduct annual penetration testing of the platform. Testing covers authentication mechanisms, authorisation boundaries, input validation, and infrastructure configuration. Findings are triaged and addressed within defined SLA windows based on severity (Critical: 24 hours, High: 7 days, Medium: 30 days).

Backups and Recovery

Database backups are performed daily with point-in-time recovery enabled for the preceding 7 days. Backups are stored in a geographically separate Azure region. Recovery Time Objective (RTO) is 4 hours; Recovery Point Objective (RPO) is 24 hours. We test restoration procedures quarterly.

Incident Response

We maintain a written incident response plan aligned with the Australian Signals Directorate's Essential Eight framework. In the event of a data breach affecting personal information, we will:

Contain the incident promptly, ordinarily within 4 hours of detection.
Assess whether the breach is likely to result in serious harm to any individual.
Notify affected organisations without undue delay once we understand the scope and impact.
Comply with our mandatory reporting obligations under the Notifiable Data Breaches (NDB) scheme administered by the Office of the Australian Information Commissioner (OAIC), including notifying the OAIC and affected individuals where the scheme requires it.
Provide affected organisations with a written incident report and remediation summary.

Reporting a Security or Privacy Concern

If you believe you have found a security vulnerability, or you are concerned that data may have been exposed or accessed improperly, please email hello@boardtable.com.au with as much detail as you can safely share. We operate a responsible disclosure policy, will acknowledge your report within 2 business days, and will keep you informed as we investigate. Please do not publicly disclose a suspected vulnerability before we have had a reasonable opportunity to address it.

SOC 2 Roadmap

We are actively working towards SOC 2 Type II certification. Our controls programme covers the Trust Services Criteria for Security, Availability, and Confidentiality. We anticipate completing our first audit period in the second half of 2025. Customers requiring evidence of our current controls can request our security questionnaire responses by contacting hello@boardtable.com.au.

Employee and Superadmin Access

BoardTable staff access to production data is strictly limited, access-logged, and subject to a binding confidentiality agreement. We follow a principle of least privilege — no engineer has standing access to customer data. Access for support or incident resolution requires manager approval and is time-limited.

The platform has a single superadmin role held only by BoardTable's operators. This role exists solely to provision new organisations, provide technical support, and maintain the platform. Superadmins are bound by confidentiality obligations and will never read, disclose, or act on the contents of your board's papers, minutes, or registers except where strictly necessary to resolve a support request you have raised, or where required by law. Superadmin actions on your organisation's data are recorded in the audit log.