Security at Useboards

• App layer: the ORM client auto-injects tenant_id into every query for tenant-owned tables. A query that forgets tenant_id fails closed (throws) rather than reading across tenants.
• DB column constraints: every tenant-owned row has a NOT NULL tenant_id; child rows have a tenant_id denormalized from the parent.
• DB triggers: 33 BEFORE INSERT/UPDATE triggers reject any child row whose tenant_iddoesn't match its parent — cross-tenant writes are blocked at the database, not just the application.

• In transit: TLS 1.2/1.3 only at the load balancer (managed cipher policy ELBSecurityPolicy-TLS13-1-2-2021-06). Application-to-database connections use TLS verify-full — server certificate validated against the Amazon Root CA chain in the container image.
• At rest: AES-256 via AWS KMS on RDS, EBS, S3, and Secrets Manager. Per-tenant data is logically isolated but shares the encrypted storage.
• Secrets: session signing keys, database credentials, OIDC client secrets stored in AWS Secrets Manager. Never logged or surfaced in admin UI.

• Magic-link sign-in via Amazon SES (the only password-equivalent flow — there are no passwords to leak).
• Multi-factor authentication: TOTP (Authenticator apps) and FIDO2 / WebAuthn passkeys. Admins can require MFA per role.
• SSO: Microsoft Entra (OIDC) and SAML 2.0 (Okta, JumpCloud, Google Workspace, Auth0, etc.). Group-sync uses a discover-then-import model — admins control which IdP groups create Useboards groups.
• Authorization: role-based, driven by a single source-of-truth permissions matrix. Server checks and UI visibility derive from the same matrix — they can't diverge.
• Session timeouts: 30-minute rolling cookie. Administrators idle out at 15 minutes; regular users at 30 minutes (NIST 800-63B AAL2 / PCI DSS 8.2.8 for privileged).

• Hot (live database): 15 months. Queryable in-product, immediately searchable for audits and incident response.
• Cold (S3 + Glacier Deep Archive): rotated monthly after the 15-month hot window; retained 7 years total. Restorable on request (24-48h turnaround).
• Notification log (email evidence): same 15 mo / 7 y schedule.
• Legal hold: on subpoena, litigation, or regulator request, retention can be frozen for an individual workspace — audit data stays in hot storage indefinitely until the hold is released.
• Tenant deletion: when a workspace is closed, the full event_log is exported to Glacier Deep Archive before the live rows are purged — the regulatory trail survives 7 years past deletion.
• Customer export: tenant ADMIN can request a full audit-log export at any time via Configuration → Workspace.

• Database: daily automated snapshots, 30-day retention. Manual pre-deploy snapshots before each production deploy as a catastrophe-insurance step.
• File storage: S3 with versioning and cross-region replication to us-west-2.
• Verified restore: we periodically restore the latest snapshot to an isolated instance and verify data integrity. Observed RTO ≈ 5 minutes for a 50 GB database.

• Hosting: AWS, region us-east-1 primary with cross-region S3 replication. Production and development environments live in separate AWS accounts.
• Network: application servers in private subnets, no direct internet exposure; outbound through NAT. Database in dedicated data subnets, accessible only via RDS Proxy.
• DDoS: AWS Shield Standard (L3/L4) auto-enabled. AWS WAF v2 with six AWS managed rule groups (AWSCommonRuleSet, KnownBadInputs, SQLi, LinuxRuleSet, IPReputation, BotControl) plus rate-based rules.
• Continuous monitoring: AWS GuardDuty (threat detection), AWS Config (resource change tracking), CloudTrail multi-region with 7-year retention.

• Dependency scanning: gitleaks pre-commit secret scan; npm audit on CI; CodeQL planned.
• Runtime error tracking: Sentry (managed). PII is not deliberately captured — request bodies are not auto-attached.
• Penetration testing: third-party annual pen test planned before general availability. We share the executive summary with paying customers on request.
• Secure SDLC: two-tier automated test suite (unit + browser-driven UX smoke), required code review, deploy-from-main only, automated dev-mirrors-prod verification on every prod deploy.

• SOC 2 Type II: in progress.
• GDPR: tenant deletion is a customer-initiated, two-step soft-delete with a 30-day grace period (cancel, export, or let cron purge). Data subject requests (DSR) handled by tenant admin tools. Sub-processor list below.
• Data residency: production data is stored in AWS us-east-1. EU residency available on request once we have an EU customer to justify the cost (single-region for now).

We notify customers via email of new sub-processors before they take effect. No customer data is sold or shared with marketing/analytics vendors.