Security Measures at Governance360

We take security extremely seriously at Governance360. Here is an outline of some of the key measures that we take to enforce this stance:


  • Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
  • One of the most common encryption technologies used in website and application development is SSL. SSL, or more accurately Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
  • From the moment you start using Governance360, all activity you have with us (and with your fellow Board members when using the platform) is encrypted with SSL. Our SSL certificates use SHA-256 & 2048-bit encryption to protect your data, amongst the most secure measures currently available.

Financial Security

  • Governance360 never stores your credit card details on our platform, nor do we want to.
  • If you pay for your services directly through Our Store using your credit card, then all payments are made over SSL connections, not logged or stored in our systems.
  • Dependent on your choice of payment method they are either processed by:
    • Stripe, a PCI-DSS level 1 compliant service provider. Click here for a copy of the Stripe privacy policy.
    • or by GoCardless, a UK based payment systems providers – click here for a copy of their privacy statement and procedures.
  • If you choose to pay in advance via invoice, then payments are processed manually using Stripe credit card functionality.

Password Security

  • For your own security, we recommend you choose a password of at least 8 characters with a mixture of letters, numbers and punctuation characters when you create an account on Governance360. We also help enforce this with a simple validation check when you first register with the application.
  • We recommend the use of a unique password (external password manager applications such as Roboform or Lastpass may help you here).
  • Our platform is only accessible through the SSL protocols noted above, albeit we cannot be held responsible for how you access the internet and strongly suggest you ensure your environment is as secure as possible (for example we do not recommend you use public wifi to access the application).
  • The Board Portal web app will log-out when you leave the browser you are logged in with and will ask you to log-in once again to use the platform again.
  • Our ActionPlan and Academy apps will sign-out automatically if there is no activity logged on the site thirty minutes after you log-in.  We have also set the application to not enable a ‘simple’ password to be used by an account holder – these checks are carried out automatically when you set up your account, our apologies if you find it frustrating to not be allowed to use a simple password but we believe that your security should come first.
  • Your data should be saved on a regular basis during your use of the App, so please sign-in again and you should find that your progress is ready at the place at which you left it.

Data Retention & Storage

  • We store the minimum amount of data required to provide our services as outlined in our Privacy and GDPR notice.
  • Your data in the Academy and ActionPlan apps are stored and backup offsite daily by our sub-processors – you can find out more about these in sub-processors page.
  • Your data in the BoardSecure Portal is stored and backed up offsite daily for recovery from disasters in Google’s Firebase environment.
  • Your personal data is stored and backed up offsite daily for recovery from disasters in Data Centres in the UK & US so that we can enhance the delivery of our service.
  • All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process. More on this certification, including the provision that Google Firebase is GDPR ready, is available here.
  • Customer data is held by Governance360 for the purposes of our accounting records and fiscal duties, either within our CRM system or our financial system, both of which we have received confirmation for from their vendors that they are GDPR compliant.
  • Credit cards details are only stored by PCI compliant service partners as noted above.

People Controls

  • Staff, and where appropriate, external contractors are cleared prior to working with us by our Human Resources department.
  • Our checks are comprehensive, and include (in no particular order), Proof of Identity, Proof of Right to Work and Proof of Residency.
  • We also maintain internal Human Resources policies, reviewed annually.
  • Only employees with the necessary rights and roles can access our data centre facilities and underlying data.
  • Customer data is accessed on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
  • All employees are asked to sign confidentiality agreements and are trained on a regular basis as to the importance of these policies and procedures.