Board management you can trust
Keep board work moving without compromising security.
Surfboard safeguards your board data with controls built for scrutiny and ready to scale with your team.
Secured on AWS
Hosted on AWS with controls across data centers, networking, and compute. Enterprise-grade infrastructure with encryption everywhere.
Access you control
A role-based, multi-tier permission system gives you precise control over organization access and data permissions. Every action is fully logged.
Certified and assured
SOC 2 Type II certified with GDPR-aligned practices. Our security controls and data retention are audited by third-party firms regularly.
Surfboard AI
Private by design, controlled by you.
You decide what AI can access and can turn features on or off at any time. Your prompts, context, and outputs are protected within your workspace—never used to train models or shared with third parties without your consent.
We handle security so you don't have to
Data protection
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption keys are managed in AWS with strict access controls and separation of duties. Retention and deletion policies are fully configurable.
Identity and access
Role-based permissions control what each user can view or change. Production access to customer data in S3 or DynamoDB is just-in-time, least-privilege, time-boxed, approved, and logged for audit.
Cloud infrastructure
Surfboard's API and database run on AWS in the United States. We operate a fully serverless stack—API Gateway, Lambda, DynamoDB, S3—reducing patch surface and eliminating unmanaged servers.
Secure development
We follow a secure software development lifecycle. Every change moves through lower environments before production, with mandatory peer review, automated security checks, and test coverage.
Event monitoring
Application, authentication, and infrastructure events are collected centrally and monitored continuously. We follow a documented incident process and notify customers under agreed timelines.
Data privacy
We do not share customer content with third parties. Only limited analytics metadata is used to provide the service. Employees with production access sign NDA and complete security training.
