Trust · Security · Privacy

Boring on purpose.

Security shouldn't be a surprise. Here's how we host your data, who can see it, what we do if something goes wrong, and how to contact us when it does.

SOC
SOC 2 Type II
Audited Mar 2026
GDPR
GDPR-aligned
EU data hosting available
ISO
ISO 27001
In progress · Q4 2026
CCPA
CCPA compliant
DSAR portal open
Section 01

Hosting & data.

${[ ["Encrypted at rest","All data is AES-256 encrypted at rest. Customer-facing data is sharded by workspace and encrypted with rotating per-tenant keys."], ["Encrypted in transit","TLS 1.3 with HSTS, certificate pinning on mobile clients. We never accept HTTP. Cert renewal is automated through ACME."], ["Data residency","US (us-east-1) by default, EU (eu-west-1) on request. Studio plan supports per-workspace residency selection at signup."], ["Backups","Hourly incremental, daily full, retained 30 days. Restore tested monthly. Disaster recovery RPO 1 hour, RTO 4 hours."], ["Data export","You can export your full workspace at any time as JSON, Markdown, or CSV. No upsell wall, no waiting period."] ].map(([h,p]) => `

${h}

${p}

`).join("")}
Section 02

Access & identity.

${[ ["SSO","SAML 2.0 with Okta, Google Workspace, Microsoft Entra. Auto-provisioning via SCIM. Studio plan."], ["MFA","TOTP, WebAuthn, hardware keys. Can be required at the workspace level by an admin."], ["Permissions","Role-based per workspace, with custom roles on Studio. Guest seats are scoped to specific boards only."], ["Audit log","Every admin action, permission change, and access event is logged with the actor, IP, and timestamp. Exportable as CSV."] ].map(([h,p]) => `

${h}

${p}

`).join("")}
Section 03

Uptime & reliability.

Last 90 days · realtime at status.boardmio.com

Web app
99.98% · 90D
${Array.from({length: 90}, (_,i) => `
`).join("")}
Operational · 89 daysDegraded · 1 day (Apr 17)Down · 0 days
API
99.99% · 90D
${Array.from({length: 90}, () => `
`).join("")}
Operational · 90 days
Section 04

Responsible disclosure.

If you've found something, we'd like to hear about it before anyone else does. We pay bounties up to $5,000 for critical issues, and we'll always credit you publicly (or not, your call).

Email [email protected]. PGP key fingerprint 8B41 9E78 2C1A 4F2D.