Security
Security is one of the primary considerations in all aspects of BoardSpot. If you have any questions after reading this, or encounter any issues, please let us know.
BoardSpot forces HTTPS for all services using TLS (SSL), including our public website and the application.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with BoardSpot only over HTTPS.
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at [email protected]. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.