Skip to content

streamboard · legal

Security & Compliance

Last updated: May 26, 2026

This page summarises the security and compliance posture of streamboard. We are pre-launch and do not yet hold formal third-party certifications (ISO 27001, SOC 2, etc.); this page reflects the technical and operational controls actually in place. It is a snapshot, not a guarantee — see our Terms for the contractual warranty position.

Infrastructure

  • Hosting: Cloudflare Workers, with primary D1 database in the Western Europe (WEUR) region and R2 object storage. All edge traffic terminates at Cloudflare's global TLS edge.
  • Transport encryption: TLS 1.2+ for all user-to-Service traffic; TLS for all Service-to-sub-processor traffic; HTTP/2 + HSTS on the public origin.
  • Encryption at rest: Cloudflare D1 and R2 encrypt all stored data at rest by default.
  • Secrets management: All production secrets (auth, billing, email, push VAPID) live in Cloudflare's per-worker secret store. None are committed to the repository or surfaced in logs.

Authentication & Authorisation

  • Authentication: email/password with industry-standard salted password hashing, plus OAuth sign-in via GitHub and Google. Email verification is required for password sign-up on the production origin.
  • Sessions: Server-side session storage in D1 with revocation on logout, on account-deletion request, and on password reset.
  • MCP / live-data tokens: Per-streamboard live-data tokens are minted server-side and stored as SHA-256 hashes; the raw secret is shown to the user once at mint time and is unrecoverable afterwards.
  • RBAC: Organisation-scoped resources (streamboards, folders, comments, branding, tokens) are gated by member-role checks (member / admin / owner). All RBAC checks happen server-side.

Rate Limiting & Abuse Prevention

  • Per-token / per-org / per-user rate limits on the API and MCP surfaces, enforced via Cloudflare Rate Limiting bindings.
  • Spec size cap (256 KB) on every streamboard create / update / patch to bound storage and rendering cost.
  • Allowlist enforcement on streamboard component types per organisation, re-validated at write time against the live database (defence in depth).
  • Soft-delete + 30-day grace before physical purge so accidental deletions are recoverable through support.

Account Deletion & Data Erasure

Users can request account deletion at any time from Settings → Account. A 30-day grace period applies; on grace-period expiry, the account-lifecycle worker cascades through every D1 row and R2 object the user solely owns (streamboards, releases, state, tokens, comment threads / replies / mentions, sole-owned organisations with their branding assets, member rows, verification rows, and finally the user record itself). The cascade is gated by a fail-safe `DRY_RUN` environment variable and audited via Cloudflare Workers Analytics Engine. See the Privacy Policy sections 8 & 9 for full detail.

Observability & Incident Response

  • Per-request observability: every error response carries a 12-char request id (also written into the response body and the X-Request-Id header), with the request id, route, error class / message, and latency written to Cloudflare Workers Analytics Engine for operator-side investigation.
  • Breach notification: if a breach affecting personal data occurs, we will notify the ICO and affected users in accordance with UK GDPR Art. 33–34 — without undue delay and within 72 hours where feasible. See Privacy Policy section 10.

Sub-Processors

The full list of sub-processors, the data shared with each, and the international-transfer safeguards relied upon is published in the Privacy Policy section 5. We commit to giving 30 days' advance notice of material sub-processor changes where required by your contract.

Data Processing Agreement (DPA)

Organisations processing personal data via the Service can rely on our published Data Processing Agreement, which satisfies UK GDPR Art. 28. Enterprise customers can request an executed counterpart at support@usestreamboard.com.

Reporting a Security Issue

If you believe you have found a security vulnerability or have any other security concern, please email support@usestreamboard.com with the subject line "Security disclosure". Please include enough detail to reproduce the issue and refrain from publicly disclosing it until we have had reasonable time to investigate and remediate. We do not yet operate a formal bug-bounty programme; responsible disclosures are acknowledged on request.

What We Don't (Yet) Have

Honesty is part of the security story. Things we don't claim today:

  • No formal third-party certifications (ISO 27001, SOC 2 Type II, HIPAA, etc.).
  • No contractual uptime SLA — service is provided on a best-effort basis pre-launch.
  • No regional pinning / data-residency options beyond the WEUR primary D1.
  • No published bug-bounty programme (responsible-disclosure email only).
  • No automated penetration-testing programme on a fixed cadence.

Roadmap items: SOC 2 Type I once we are post-launch and revenue allows; public status page; data-export self-service; opt-in regional pinning for enterprise.

Contact

For general security questions, vendor-review questionnaires, or compliance enquiries, email support@usestreamboard.com.