How we protect your data.

Infrastructure

Frameboard runs on Netlify (edge delivery + serverless functions), Airtable (structured data), Mux (video), and Stripe (payments). All sub-processors are chosen for their security track record.

• All traffic served over TLS 1.2+ (HTTPS everywhere, HSTS on public pages)
• Data at rest encrypted by the underlying cloud providers
• Hosted primarily in the EU and US; data residency can be discussed for Enterprise customers
• Netlify edge network, DDoS-protected at the infrastructure layer

Authentication & access

• Passwords hashed with bcrypt (cost factor 10+)
• JWT-based session tokens, 30-day expiry, forced logout on invalid token
• OAuth sign-in via Google Workspace and Microsoft Entra ID
• Enforced SSO per domain (Enterprise) - blocks password login for your domain once enabled
• Domain verification via DNS TXT record before SSO enforcement can be turned on
• SCIM 2.0 user provisioning and deprovisioning (Enterprise) - works with Okta, Entra ID, and any compliant IdP
• IP allowlisting per Organisation (Enterprise) - IPv4, IPv4 CIDR, and IPv6 supported
• Magic-link authentication for client hub access (15-minute expiry, single-use)
• Role-based access control (Admin vs Member) within organisations
• Rate limiting on sensitive endpoints

Data handling

We do not sell data, share with advertisers, or use your proposal content to train external models. AI generations run on your content via API calls to model providers (currently Anthropic) that do not retain or train on the input beyond standard inference.

Compliance

• GDPR: data subject access, deletion, and portability supported via the in-app data export and account deletion endpoints
• UK GDPR: aligned
• PCI DSS: handled by Stripe - card details never touch our infrastructure
• SOC 2 Type II: readiness bundle complete (controls, policies, risk register). Target attestation Q4 2026 - view the controls matrix
• ISO 27001: under evaluation
• HIPAA: not currently supported - do not use Frameboard for health-related data

Security policies

Our full policy set is versioned in git and reviewed annually. Each policy is written to be both operationally useful and audit-ready.

• Security programme overview - scope, roles, governance
• Access control - who can access what, MFA, onboarding and offboarding
• Incident response - detection, severity, notification, postmortem
• Business continuity and disaster recovery - RPO, RTO, backup testing
• Vendor management - sub-processor selection and list
• Data classification and handling - tiers and rules per data type
• Change management - how code and configuration changes reach production
• Acceptable use (staff) - what staff can and cannot do with customer data
• Risk assessment - living risk register
• SOC 2 controls matrix - every control mapped to Trust Services Criteria

Backups & recovery

• Daily automated backups of primary data store (Airtable)
• Blob storage versioned with 30-day retention
• Recovery Point Objective (RPO): 24 hours
• Recovery Time Objective (RTO): 4 hours for core services

Incident response

If we detect a security incident affecting customer data, we notify affected customers within 72 hours by email and via a banner on the app. Our internal incident response process is documented internally and exercised quarterly.

You can report suspected vulnerabilities to security@myframeboard.app. We review reports within one working day.

Your rights as a customer

• Export all your data at any time (Settings → Data → Export)
• Delete your account and all associated data at any time (Settings → Danger Zone → Delete account)
• Request a Data Processing Agreement (DPA) for your legal team
• Request a summary of sub-processors we use