Security overview
When you use FlatFrog Board to collaborate with remote participants, we provide access to your boards on our cloud-based servers. It is central to the service we provide, that your data is confidential and secure.
Cloud infrastructure
FlatFrog Board cloud servers and storage reside on Google Cloud Platform, located in Belgium (europe-west1) and Germany (europe-west3). We use the following GCP products:
- Google Kubernetes Engine (europe-west1)
- Google Cloud Storage (europe-west1)
- Google Cloud SQL (europe-west1)
- Firebase Authentication (europe-west3)
We utilise GCP's audit logs, monitoring and alerts to promptly detect incidents. FlatFrog has an onboarding and offboarding process of personnel to grant access relevant parts of GCP depending on their role. Personnel use multi-factor authentication.
Servers
Our servers run in a Kubernetes cluster that is auto updated and managed to make sure the most recent security improvements are used. All endpoints are protected with TLS v1.2 and recommended cipher suites. We continuously monitor our endpoint protection on Qualys' SSL Labs to make sure they keep A+ score.
Data
Your board content and related data is encrypted with AES-256 at rest and stored on Google Cloud Storage and Google Cloud SQL. This data is not accessible on public endpoints and can only be accessed by a small number of FlatFrog personnel for service purposes. We use automatic backup and updating to keep the data safe.
User Accounts
Access to FlatFrog Board is protected by user accounts managed by Firebase Authentication. We allow users to sign up with email and password or use existing Google accounts. It is recommended to use Google accounts with multi-factor authentication for highest security.
Guest Access
In the Free tier of FlatFrog Board, we allow guests to access boards using links or 6 character codes. The purpose of this is to allow users to conveniently evaluate the service. In Paid tiers of FlatFrog Board (see pricing) access to an organisation's boards requires a user account with previously granted access to the organisation.