Trust · Security · Privacy
Boring on purpose.
Security shouldn't be a surprise. Here's how we host your data, who can see it, what we do if something goes wrong, and how to contact us when it does.
SOC 2 Type II
Audited Mar 2026
GDPR-aligned
EU data hosting available
ISO 27001
In progress · Q4 2026
CCPA compliant
DSAR portal open
Section 01
Hosting & data.
${[
["Encrypted at rest","All data is AES-256 encrypted at rest. Customer-facing data is sharded by workspace and encrypted with rotating per-tenant keys."],
["Encrypted in transit","TLS 1.3 with HSTS, certificate pinning on mobile clients. We never accept HTTP. Cert renewal is automated through ACME."],
["Data residency","US (us-east-1) by default, EU (eu-west-1) on request. Studio plan supports per-workspace residency selection at signup."],
["Backups","Hourly incremental, daily full, retained 30 days. Restore tested monthly. Disaster recovery RPO 1 hour, RTO 4 hours."],
["Data export","You can export your full workspace at any time as JSON, Markdown, or CSV. No upsell wall, no waiting period."]
].map(([h,p]) => ``).join("")}
${h}
${p}
Section 02
Access & identity.
${[
["SSO","SAML 2.0 with Okta, Google Workspace, Microsoft Entra. Auto-provisioning via SCIM. Studio plan."],
["MFA","TOTP, WebAuthn, hardware keys. Can be required at the workspace level by an admin."],
["Permissions","Role-based per workspace, with custom roles on Studio. Guest seats are scoped to specific boards only."],
["Audit log","Every admin action, permission change, and access event is logged with the actor, IP, and timestamp. Exportable as CSV."]
].map(([h,p]) => ``).join("")}
${h}
${p}
Web app
99.98% · 90D
Operational · 89 daysDegraded · 1 day (Apr 17)Down · 0 days
API
99.99% · 90D
Operational · 90 days
Section 04
Responsible disclosure.
If you've found something, we'd like to hear about it before anyone else does. We pay bounties up to $5,000 for critical issues, and we'll always credit you publicly (or not, your call).
Email [email protected]. PGP key fingerprint 8B41 9E78 2C1A 4F2D.