Security & Trust

Here's how we protect your board's information

AICPA SOC for Service Organisations
Third-party verification

SOC 2 Type II

boardcycle holds SOC 2 Type II certification. Our security controls have been independently audited and confirmed to operate effectively — you don't have to take our word for it.

REQUEST THE REPORT

How we protect you

Our three core commitments to every boardcycle customer.

Security

boardcycle is built to protect your meeting and governance information. Strict access controls, comprehensive encryption, and ongoing security testing keep your data safe from unauthorised access.

Availability

boardcycle is monitored and maintained so it's available when you need it — before a board meeting, late at night, or across time zones. Redundant infrastructure and regularly tested recovery procedures minimise any risk of disruption.

Confidentiality

Your governance discussions and meeting information are sensitive. boardcycle keeps them that way — accessible only to the right people, encrypted throughout, and never used for any purpose beyond delivering the platform.

Security controls

The specific measures behind those commitments, as independently verified by our auditor.

Governance & Risk

Policies, accountability, and risk management

  • Information security policies
  • Annual risk assessment
  • Security training for all staff
  • Employee background checks
  • Annual vendor security reviews

Access & Identity

Controlling who can access what, and how

  • Multi-factor authentication
  • Role-based access controls
  • Customer data access is logged
  • Access requires formal approval
  • Regular access reviews
  • Access revoked on departure

Data Encryption

Making your data unreadable without authorisation

  • Data in transit encrypted
  • Data at rest encrypted
  • Secure password management
  • Databases and backups encrypted
  • Secure encryption key management

Application Security

How we build and test the software securely

  • Annual external penetration test
  • Continuous vulnerability scanning
  • Code dependency scanning
  • Automated testing before every deployment
  • OWASP Top 10 mitigations
  • Separate production and dev environments

Monitoring & Incident Response

Detecting problems and responding to them

  • Continuous audit logging
  • Real-time infrastructure monitoring
  • Formal incident response plan
  • Root cause analysis on incidents
  • Backup restoration testing

Availability & Recovery

Keeping the platform online and recovering quickly

  • Multi-zone infrastructure
  • Continuous database backups
  • Distributed backups
  • Tested disaster recovery plan
  • Public status page

Sub-processors

The following third-party service providers process personal data on behalf of boardcycle in the course of delivering the platform.

Provider
About
boardcycle's use
Render
Render is a cloud platform for deploying and hosting web applications.
Application hosting and data storage
Kinde
Kinde is an authentication and user management platform.
User authentication and session management
Intercom
Intercom is a customer communications platform.
Customer support communications

Request the Report

Our SOC 2 Type II report is available to current and prospective customers. A Non-Disclosure Agreement will be required before the report is shared. We aim to respond within one business day.

Ready for modern agenda management?

Ready to build and manage agendas faster and better? Ready for shell minutes in one click? Ready to focus on what really matters, and let us handle the rest? Then get in touch.

BOOK A 15-MIN DEMO LEARN MORE