Your storyboards, scripts, and client approvals live in Boords. This page sets out how we protect that work, how we handle your personal data, and where procurement and security teams can find the detail they typically need.
Confidentiality
Anything you upload to or create in Boords is hidden from everyone, including the Boords team, unless you explicitly share it. We do not browse customer accounts. In the rare cases where access is needed for support or debugging, we proceed only with your explicit consent and limit access to the minimum data necessary.
Encryption
All traffic to and from Boords runs over HTTPS with 256-bit SSL. Uploaded files and assets are encrypted at rest on AWS S3 using server-side encryption with AWS-managed keys (SSE-S3). Backups are encrypted to the same standard.
Hosting and infrastructure
Boords runs on managed infrastructure from AWS and Heroku, primarily in the EU (Ireland). Cloudflare sits in front of the application, providing web application firewall protection and DDoS mitigation. Database backups run hourly. File assets stored on AWS S3 carry built-in geographic redundancy within the EU region.
Authentication and account security
Multi-factor authentication is available to every account via an authenticator app. Passwords are hashed with bcrypt and a unique salt. We enforce a minimum password length and complexity, restrict the use of compromised passwords, and rate-limit login attempts to prevent brute-force attacks. Sessions expire after seven days of inactivity. Administrative access to our infrastructure (AWS, Heroku) is MFA-protected and restricted to authorised personnel with a specific business need.
Sub-processors and data location
Boords relies on a defined set of named sub-processors for hosting, payments, support, analytics, AI features, and email. The full list, including the country in which each one processes data, is published in our Privacy Policy. Where data is transferred outside the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA).
Your data, your rights
You own the storyboards, scripts, frames, and assets you create in Boords. We hold a limited licence only to host and display them on your behalf. You can export your work at any time as PDF, image, or animatic. To delete your account or request erasure of your personal data, email hello@boords.com. We respond to UK GDPR requests within one month. By law, we retain basic customer data (identity, contact, financial, and transaction) for six years after account closure to satisfy UK legal and tax obligations.
Payments
Boords does not hold any credit card information directly. All payments are handled by Stripe, which is fully PCI compliant in storing and processing card data.
AI features
Boords uses external AI services in two distinct ways. OpenAI powers script ingestion, converting scripts into structured storyboards. Fal.ai and Google (Gemini API) power AI image generation.
Boords does not train, retrain, or fine-tune any AI or machine learning models using customer data. Customer content submitted to the AI services we use is not used to train the underlying models, per the providers' API terms.
Customers can disable AI features for their entire account from account settings. When disabled, no AI processing runs for any user on the account.
Boords sends transactional and notification email from the boords.com domain via Postmark, and marketing email via Mailerlite. SPF, DKIM, and DMARC are configured to prevent spoofing.
Breach notification
If we become aware of a personal data breach affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware. Notification will include the nature of the breach, the categories of data and approximate number of affected records, the likely consequences, and the measures taken or proposed to mitigate adverse effects. We will notify the Information Commissioner's Office (ICO) within 72 hours where we are legally required to do so.
Compliance and frameworks
Boords is a trading name of Presentable Software Limited, a UK company (company number 09985153) registered with the Information Commissioner's Office (ICO) under Registration Reference A8167535. For commercial and legal agreements (including Data Processing Agreements and Master Services Agreements), the contracting entity is Presentable Software Limited. We comply with the UK GDPR and align our practices with the EU GDPR and the California Consumer Privacy Act (CCPA/CPRA).
We are not currently certified to SOC 2 or ISO 27001. We rely on the equivalent controls provided by our underlying infrastructure (AWS, Heroku, Cloudflare, Stripe), all of which carry those certifications themselves. We have completed the Assured SaaS Security Risk and Trust Assessment. A full mapping of our controls is in the Security Overview document below.
Security Overview document
For procurement and security teams, a more detailed Security Overview is available as a PDF. It covers our hosting, encryption, authentication, monitoring, backup and recovery, development practices, sub-processors, and incident response in more depth.
We also publish a Data Processing Agreement (DPA) that customers can request from hello@boords.com prior to or in connection with their commercial agreement.
Download the Security Overview (PDF)
Reporting a security issue
If you believe you have found a security vulnerability in Boords, please email hello@boords.com. We will acknowledge your report and work in good faith with you to resolve it. Please give us a reasonable window to investigate and fix the issue before any public disclosure.
Questions
For anything else, email hello@boords.com and we will respond.