Back to BoardFlow

Security at BoardFlow

Last updated: May 4, 2026

BoardFlow handles some of the most sensitive paperwork in residential real estate — Social Security numbers, tax returns, bank statements, and connected investment-account holdings. This page summarizes how we protect that information. Our full Information Security Policy is available on request — see Contact below.

1. Built on private-by-default infrastructure

  • Every database table enforces row-level security at the database tier, not just in application code. Even a bug in a server action cannot return a row the requester isn't authorized to see.
  • Uploaded documents live in a private storage bucket. They are served exclusively via short-lived signed URLs (5-minute expiry) minted server-side after an authorization check.
  • Applicants and brokers see documents in a no-download in-browser viewer. The full board package PDF can only be downloaded by authorized reviewers — the building's manager, board members, and platform administrators — and every download is watermarked with the viewer's email and timestamp and recorded in our audit log.
  • Data is encrypted in transit (TLS 1.2+ with HSTS) and at rest (AES-256, managed by Supabase).

2. Automated SSN and account-number redaction

Every uploaded PDF is rewritten on the way in by an automated Document AI pipeline. Social Security numbers and bank account numbers are detected and permanently obscured before the document becomes visible to anyone other than the original uploader. The pre-redaction copy is moved to a service-role-only storage path that user accounts cannot read, and is purged shortly after redaction completes.

SSNs and account numbers shown in the user interface are masked to the last four digits as a defense-in-depth secondary control.

3. Authentication and multi-factor authentication

  • Identity is managed by Supabase Auth. Passwords must be at least 10 characters with mixed case and a digit.
  • Sessions use HTTP-only, secure cookies. Every new session is recorded in the audit log with IP and user-agent.
  • Two-factor authentication (SMS one-time passcode via Twilio Verify) is available to all users from Profile → Two-Factor Authentication and is optional.
  • Administrative access to upstream providers (Supabase, Vercel, GitHub, Stripe, Google Cloud, Plaid) requires multi-factor authentication on every account.

4. Audit logging

Sensitive actions — every session start, every document view, every package download, every Plaid event — are written to an immutable audit log with the actor, IP, user-agent, and structured metadata. Audit-log writes are designed to fail silently in the rare event the log is unreachable; they never block the underlying user action, but the action proceeds without a log entry only after the write fails.

5. Rate limiting

Authentication endpoints, mutation server actions, and signed-URL document access are rate-limited per user and per IP. Limits are enforced across our entire serverless fleet via a shared Upstash Redis backend, so a malicious caller cannot evade the limit by rotating Vercel instances.

6. Payment data

BoardFlow does not store credit card numbers. The $99 application package preparation fee is handled entirely by Stripe, a PCI DSS Level 1-certified processor. Card data never touches our servers.

7. Investment-account connection (Plaid)

Applicants may optionally connect investment accounts via Plaid instead of uploading brokerage statements as PDFs. When they do:

  • Two-factor authentication on the BoardFlow account is required before the connection screen will open.
  • Plaid's short-lived access tokenis used in-memory only. We immediately retrieve current holdings, then call Plaid's /item/remove to discard the access token. We do not store long-lived credentials for any brokerage.
  • The generated Plaid Asset Report PDF is added to the board package after the same redaction pipeline that runs on every uploaded PDF.

8. AI processing

We use Google Gemini and Document AI on Google's paid tier to extract structured fields from uploaded documents and to generate executive summaries for board reviewers. Per Google's paid-tier terms, prompts and attachments are notused to train Google's models. Anthropic's Claude is used solely as an assistive engineering tool and is not in BoardFlow's production data path.

9. Document retention

  • Application documents are automatically deleted 30 days after a final decision (approval, denial, or withdrawal) on the application.
  • Stale draft applications are purged after 30 days of inactivity.
  • Account data is retained until the user requests deletion via their profile page.

10. Incident response

BoardFlow maintains a written incident response procedure covering detection, containment, eradication, recovery, and notification. For any incident involving unauthorized access to private personal information, we notify affected users and applicable regulators within 72 hours of confirmed breach, consistent with the New York SHIELD Act and analogous state laws.

11. Sub-processors

BoardFlow uses the following sub-processors. Each is selected for a specific function and reviewed annually:

  • Supabase — database, authentication, storage (SOC 2 Type II)
  • Vercel — application hosting (SOC 2 Type II)
  • Stripe — payment processing (PCI DSS Level 1)
  • Plaid — optional investment-account aggregation (SOC 2 Type II)
  • Twilio — SMS one-time passcode delivery for two-factor authentication (SOC 2 Type II, ISO 27001)
  • Resend — transactional email (SOC 2 Type II)
  • Google Cloud — Gemini API, Document AI, Places API (SOC 2 Type II / ISO 27001)
  • Upstash — distributed rate-limit counters (SOC 2 Type II)
  • GitHub — source code and CI (SOC 2 Type II)
  • Sentry — error monitoring; PII is scrubbed before transmission (SOC 2 Type II)

12. Responsible disclosure

If you believe you've found a security vulnerability in BoardFlow, please report it privately to security@nycboardflow.com. We will acknowledge your report within two business days and keep you informed as we investigate. Please give us a reasonable window to remediate before any public disclosure. We do not currently run a paid bug-bounty program, but we publicly credit researchers who help us improve.

13. Contact and full policy

Our full Information Security Policy — including roles, data classification, change management, backup and recovery, vendor review cadence, and the complete incident-response procedure — is available on request. Please email security@nycboardflow.com with the name of your organization and the reason for the request (vendor review, audit, due diligence, etc.) and we'll send a copy promptly.

For privacy-specific inquiries, see our Privacy Policy. For data processing terms, see our DPA.