BoardSpot forces HTTPS for all services using TLS (SSL), including our public website and the application.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with BoardSpot only over HTTPS.
All credit card and related sensitive information is managed by Stripe. From Stripe (4/25/2019):
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at firstname.lastname@example.org. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.