Security & Trust
SectorBoard is built with security at every layer. Here's exactly how we protect your business data.
Last updated: June 2026 · Version 1.0
What we protect today
We only claim controls that are actually built and running. No aspirational checkboxes.
Data encrypted in transit
All connections to SectorBoard use TLS 1.2 or higher, enforced by Netlify's global CDN. Unencrypted HTTP is not accepted.
Credentials encrypted at rest
Every connector API key and OAuth token is encrypted with AES-256-GCM before being written to the database (lib/encryption.ts). The encryption key is stored separately from the ciphertext and is never logged.
Database security
SectorBoard uses Supabase (PostgreSQL) with Row Level Security (RLS) enforced at the database layer — every query is scoped to the requesting organisation even if the application layer has a bug. Service-role credentials are never exposed to the browser or client-side code.
OAuth security
All OAuth flows use signed-JWT state cookies and PKCE S256 challenge/verifier pairs to prevent CSRF and authorisation-code interception attacks. State is validated server-side before any token exchange.
Secrets scanning
Netlify secrets scanning is enabled on the repository. Any accidental commit of credentials or API keys is caught before it reaches production CI/CD.
Secure Slack alerts
Slack webhook URLs are stored encrypted in the database using the same AES-256-GCM scheme as connector credentials. They are never stored or transmitted in plain text.
Sub-processors
SectorBoard uses the following third-party services to deliver the platform. We share only the data each service needs to fulfil its function.
| Name | Role | Data region | Website |
|---|---|---|---|
| Supabase | Database & auth | EU (eu-west-1) | supabase.com |
| Netlify | Hosting & CI/CD | Global CDN | netlify.com |
| Google Workspace | Email delivery & mailboxes | Global | workspace.google.com |
| Stripe | Billing & payments | US | stripe.com |
| Anthropic | AI processing (AI tier only) | US | anthropic.com |
Data handling
We store the KPI values computed from your connected apps — not raw source records. We never store individual transactions, customer names, or unprocessed API payloads.
We do not sell, share, or use your business data for any purpose other than providing SectorBoard to you.
AI-tier customers:KPI values (not raw connector data) are sent to Anthropic's API for analysis. Anthropic's API does not train on API inputs per their usage policy. No personally identifiable information beyond what is already present in your KPI data is sent.
Vulnerability reporting
Found a security issue? Email [email protected] with a description of the vulnerability and steps to reproduce. We aim to respond within 48 hours and will keep you informed as we investigate and resolve the issue. We appreciate responsible disclosure.
GDPR & data residency
SectorBoard is operated from the UK. Our primary database is hosted in the EU (Supabase, eu-west-1 region). We are GDPR-aware and maintain records of processing activities. A Data Processing Agreement (DPA) is available on request — email [email protected].
Certification roadmap
We're building toward formal third-party attestation. We'd rather show you exactly where we are than imply certifications we don't yet hold. Here's the plan and our honest current status.
Independent audit of our security, availability, and confidentiality controls over an observation period.
Control framework being formalised. Observation window begins once we reach scale milestones.
Certified Information Security Management System (ISMS) covering policies, risk, and controls.
Targeted after SOC 2; many underlying controls are shared and already in place.
Data Processing Agreement, records of processing, and EU data residency.
DPA available on request; primary data store hosted in the EU.
The certification process itself is run by accredited external auditors and is outside the scope of this page — this section reflects our roadmap and current posture, not a completed audit.