← noboard

Security

Last updated: 2026-04-28

DRAFT — practices documented here reflect the current platform. We will tighten claims and add a SOC 2 / ISO 27001 roadmap section as we approach enterprise GA. Contact [email protected] with diligence questions.

1. Architecture

noboard runs on Cloudflare Workers (global edge compute) for the API, Cloudflare Pages for the landing site and web app, Neon Postgres (AWS US-West) for primary data, and Cloudflare R2 (West North America) for static assets. There are no servers we manage; all components are managed services.

2. Data in transit

All public traffic is served over HTTPS. We send Strict-Transport-Security with a one-year max-age and includeSubDomains; preload-eligible. The API enforces credentialed CORS only against an allow-list of origins (noboard.app, www.noboard.app, app.noboard.app); other origins receive `*` without credentials.

3. Data at rest

Database storage in Neon is encrypted at rest. Cloudflare R2 and Cloudflare KV encrypt at rest by default. Backup snapshots inherit the same encryption.

4. Authentication

  • Email + password via better-auth, with required email verification before sign-in.
  • Password minimum length 10 characters; no composition rules (NIST 800-63B).
  • Per-IP rate limiting on sign-up, sign-in, and password reset endpoints.
  • Sessions delivered via signed, HTTP-only, secure cookies.
  • API keys for the PMCP CLI, scoped per-user, transmitted via Authorization: Bearer.

5. Authorization

Every workspace has a visibility setting (private or public_read) and a per-user membership table with roles (owner / editor / viewer). The API resolves the workspace from the request and checks membership on every read and write; non-members see 404 on private workspaces (visibility is not leaked).

6. Browser hardening

Both Cloudflare Pages deployments ship Strict-Transport-Security, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, X-Frame-Options: DENY (the web app is not iframed), and a Permissions-Policy that disables accelerometer, camera, geolocation, microphone, and payment APIs we do not use.

7. Sub-processors

  • Cloudflare — compute, DNS, R2 object storage, Cloudflare Email Sending.
  • Neon — managed Postgres database.
  • Stripe (when paid plans launch) — card processing.
  • PostHog — product analytics, opt-in only via the cookie banner.

We do not sell or share customer data with any other party. We do not use private workspace content to train machine learning models.

8. Responsible disclosure

If you believe you have found a security vulnerability, please email [email protected] with reproduction steps and impact. We commit to an initial response within three business days. Do not publicly disclose until we have had a reasonable opportunity to remediate.

We currently do not run a paid bug-bounty program. We will publicly thank reporters of valid vulnerabilities (with consent) once a fix has shipped.

9. Account security recommendations

  • Use a unique, randomly generated password from a password manager.
  • Treat your PMCP API key like a password; never commit it to a repo. Rotate on suspicion of exposure.
  • Mark workspaces private unless you intend the canvas to be public.

10. Roadmap

  • SSO/SAML for Enterprise plans.
  • Audit logs available to workspace owners.
  • EU-region data hosting option.
  • SOC 2 Type II — sequenced once Enterprise demand is established.

11. Contact

Diligence questions, contractual security addenda, or DPA requests: [email protected].