Security

Last updated: 1 May 2025 · Questions? security@theboardcartel.com.au

Board governance involves some of the most sensitive information your organisation handles — financial data, conflict of interest declarations, strategic plans, and confidential minutes. We take that responsibility seriously. Here is how The Board Cartel protects your data.

🏢

Australian Hosting

All data stored in Azure Australia East (Sydney). Your data never leaves Australia.

🔒

AES-256 Encryption

Data at rest encrypted with AES-256. All traffic encrypted with TLS 1.2+.

🛡️

Role-Based Access

Strict permission controls ensure users only see what they're authorised to see.

📋

Audit Logs

Every login, data access, and document download is logged and retained for 12 months.

Infrastructure and Hosting

The Board Cartel is hosted exclusively on Microsoft Azure Australia East (Sydney data centre). We do not use offshore servers. Azure holds ISO 27001, SOC 2 Type II, and PCI DSS certifications. All data — including meeting documents, uploaded files, and governance records — resides in Australia.

Our infrastructure uses isolated virtual networks, private endpoints for database access, and automated vulnerability scanning on all dependencies.

Encryption

At rest: All stored data is encrypted using AES-256 bit encryption at the storage layer. Database backups are encrypted with the same standard.

In transit: All connections to The Board Cartel use TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS headers to prevent protocol downgrade attacks. Older TLS versions and weak cipher suites are disabled.

Passwords: User passwords are never stored in plaintext. We use bcrypt with a work factor of 10, which makes brute-force attacks computationally infeasible.

Access Controls

The Board Cartel uses a role-based access control model:

Administrators manage the organisation's account, users, and all governance records.
Directors access meeting materials, submit conflict of interest declarations, and view documents they have been given permission to see.

Each API request is authenticated with a signed JWT token with a 24-hour expiry. Tokens are issued only after successful credential verification and are not stored server-side (stateless authentication).

Two-Factor Authentication (2FA)

The Board Cartel supports time-based one-time password (TOTP) two-factor authentication for all user accounts, compatible with apps such as Google Authenticator and Authy. Administrators can require 2FA for all users in their organisation. We strongly recommend enabling 2FA for all board members.

Audit Logging

Comprehensive audit logs record all significant events including user logins and failed login attempts, document access and downloads, changes to meeting records and governance data, user creation and role changes, and administrative actions. Logs are retained for 12 months and are available to administrators on request.

Penetration Testing

The Board Cartel engages an independent security firm to conduct annual penetration testing of the platform. Testing covers authentication mechanisms, authorisation boundaries, input validation, and infrastructure configuration. Findings are triaged and addressed within defined SLA windows based on severity (Critical: 24 hours, High: 7 days, Medium: 30 days).

Backups and Recovery

Database backups are performed daily with point-in-time recovery enabled for the preceding 7 days. Backups are stored in a geographically separate Azure region. Recovery Time Objective (RTO) is 4 hours; Recovery Point Objective (RPO) is 24 hours. We test restoration procedures quarterly.

Incident Response

We maintain an incident response plan aligned with the Australian Signals Directorate's Essential Eight framework. In the event of a data breach affecting personal information, we will:

Contain the incident within 4 hours of detection.
Notify affected organisations within 72 hours.
Comply with mandatory reporting obligations under the Notifiable Data Breaches (NDB) scheme administered by the Office of the Australian Information Commissioner.
Provide a full incident report within 14 days.

To report a security vulnerability, please email security@theboardcartel.com.au. We operate a responsible disclosure policy and will acknowledge reports within 2 business days.

SOC 2 Roadmap

We are actively working towards SOC 2 Type II certification. Our controls programme covers the Trust Services Criteria for Security, Availability, and Confidentiality. We anticipate completing our first audit period in the second half of 2025. Customers requiring evidence of our current controls can request our security questionnaire responses by contacting security@theboardcartel.com.au.

Employee Access

The Board Cartel staff access to production data is strictly limited, access-logged, and subject to a confidentiality agreement. We follow a principle of least privilege — no engineer has standing access to customer data. Access for support or incident resolution requires manager approval and is time-limited.