Security & trust

Built for the sensitive data you hold

Corporate secretarial firms hold identity documents, beneficial ownership and financial data. Board360 is designed around protecting it — isolation, masking and auditability at the core.

Core controls

Security designed in, not added on

Tenant isolation by row-level security

Every firm's data is isolated at the database with PostgreSQL row-level security keyed to your tenant. Isolation is tested automatically in CI, and the build fails if any table is left unprotected.

NRIC/FIN masking by default

Sensitive identifiers are masked everywhere they appear — in the UI, exports and generated documents. Revealing a full identifier is permission-gated and written to the audit trail.

Immutable audit trail

Privileged actions are recorded to an append-only log — who did what, when, and what changed — across staff, client, platform and AI actors, with tamper-evident design.

Multi-factor authentication

Staff accounts sign in with email and password or magic link, with TOTP multi-factor authentication required for firm users.

Controlled break-glass access

Platform support has no standing access to your client data. Any support access is read-only by default, dual-controlled for KYC/UBO and financial data, time-boxed, logged, and surfaced to your Tenant Admin.

Singapore data residency

Application and data are hosted in Singapore by default, aligned to how Singapore CSPs are expected to handle client information.

Governed AI

AI you can put in front of a regulator

Automation is only useful if it’s safe. Board360’s AI layer is built for a regulated practice from the ground up.

  • AI acts only through a typed, permissioned tool registry — never directly on the database
  • Every action is tenant-scoped, schema-validated and injection-resistant
  • Risk-tiered approval: draft, single sign-off, or dual control
  • No autonomous statutory actions — humans always decide and sign
  • Cost-budgeted, kill-switchable, and fully audited with decision traces
Data protection

PDPA-aware by design

Board360 is built to fit the Personal Data Protection Act and the way Singapore firms are expected to steward client data.

  • Your firm is the Data Controller; Board360 acts as a Data Intermediary (processor)
  • Configurable retention per record type — KYC records kept at least five years
  • Data export and deletion workflows that honour PDPA obligations
  • A maintained list of sub-processors, with notice of changes

Board360 is an enabling tool: each firm remains responsible for its own regulatory compliance. We’re happy to walk your compliance team through our architecture, sub-processors and controls in detail during evaluation.

Run a compliant, modern corporate secretarial practice

See how Board360 brings your entities, deadlines, KYC/AML and client service into one system of record.