Security, Privacy, and Compliance

We take data security very seriously

At Sounding Board, our top priority is keeping our customers, coach, and coachee data secure. We employ rigorous security measures at the organizational, architectural, and operational levels to ensure that your data remains safe.
Security 1
Security 2
Security 3

Organizational security

"Security is a focus for everyone at Sounding Board. All employees receive security and privacy training in their first two weeks at Sounding Board to keep both Sounding Board and customer data safe and secure."

Architectural security

At Sounding Board, we understand the critical role that architectural security plays in securing our clients’ information systems. That’s why we prioritize multiple security measures such as data encryption, single-sign-on, native login, physical security, network security, application security, vulnerability assessments, and application security. By implementing these measures, we aim to provide the highest level of protection against unauthorized access and potential security risks.
Data Encryption

Sounding Board encrypts all customer data while it is at rest. That means that when the data is not being used or accessed, it’s encrypted to be safer and more secure. This is a fundamental design characteristic of the Sounding Board technology. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits, and the keys are managed by our Database provider (MongoDB). 

Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. We utilize 128-bit SSL encryption for this.

Application Security
We partner with a top third-party security company to conduct an annual security assessment of our web application as part of our SOC 2 Type II audit. The company tests for standard and advanced security vulnerabilities, including:
  • Weaknesses with Flash, Flex, AJAX, and ActionScript
  • Cross-site request forgery (CSRF)
  • Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
  • XML and SOAP attacks
  • Weak session management
  • Data validation flaws and constraint inconsistencies
  • Insufficient authentication or authorization
  • HTTP response splitting
  • Misuse of SSL/TLS
  • Use of unsafe HTTP methods
  • Misuse of cryptography
Single-Sign-On Support
SAML 2.0 allows for a seamless, single-sign-on experience between the customer’s internal web portal and Sounding Board. Customers login to their company’s internal web portal using their enterprise username and password and are then presented with a link to Sounding Board, which automatically gives customers access without having to log in again.
Sounding Board Native Login

Sounding Board offers a username/password for our Native Login. Your email is your unique identifier in the system. Sounding Board requires user’s passwords to meet the following requirements:
More than 8 characters, One uppercase letter, One lowercase letter, One symbol (!@#$%^&*, etc.), One number (1234567890)

Network Security
Sounding Board has established detailed operating policies, procedures, and processes designed to help manage the quality and integrity of the Sounding Board environment. Google Cloud Platform firewall rules are configured to block unauthorized inbound network traffic from the internet. In addition, monitoring software is used to identify vulnerabilities and security events on the network, servers, and database and is configured to alert personnel of possible or actual security breaches.
Security Risk Assessment
Sounding Board has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Sounding Board applications. This program includes an in-depth security risk assessment and review of Sounding Board features. In addition, static source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by developer application security training and penetration testing of the application.
Vulnerability Assessments
Sounding Board contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.
Physical Security
Sounding Board applications are hosted on the Google Cloud Platform (GCP). Google Cloud Platform’s physical security controls are reviewed annually as part of Sounding Board’s vendor management program.

Privacy

Sounding Board is deeply committed to protecting the privacy of our customer’s data and helping our customers meet their privacy obligations. With Sounding Board, you gain leading privacy functionality and practices that enable you to meet your privacy obligations. Additionally, we are transparent about our privacy practices. We also provide our customers with the necessary resources and information to help them understand and validate their organization’s privacy and compliance requirements.
Privacy Principles
As data protection issues and global laws evolve and become increasingly complex, Sounding Board understands the importance of maintaining a comprehensive privacy program embedded in our company’s culture and services. We’re committed to following three principles that reflect our core values:
  • We put privacy first.
  • We innovate responsibly.
  • We safeguard fairness and trust.
Our philosophy of “privacy by design” is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data. These privacy principles drive how we train our employees, design and build products, and, ultimately, how we process personal data. Privacy and data protection require year-round vigilance, and we’re strongly committed to protecting the personal data of our customers and employees.
Global Data Privacy

Privacy continues to be front and center on the global stage with the advent of the General Data Protection Regulations, the continued momentum for U.S. privacy legislation, and new laws throughout Asia and Latin America. At Sounding Board, we welcome this renewed attention, as privacy protections have been a fundamental component of our services. We also understand that privacy is a shared responsibility between our customers and us.

Sounding Board and our customers must be prepared to comply with complex global privacy laws and regulations. Sounding Board stays ahead of international privacy regulations by maintaining a comprehensive global data protection program that contains comprehensive technical, administrative, and organizational safeguards. Our customers can rest assured that we are committed to global privacy standards, as shown by our implementation of Binding Corporate Rules for Processors (BCRs) and being the first company to certify the Asia-Pacific Economic Cooperation Privacy Rules for Processors.

EU Data Privacy
The General Data Protection Regulation (GDPR) is the global benchmark for privacy laws. It sets out individual privacy and access rights and establishes the mechanisms for holding businesses accountable for data use. We base our privacy compliance regime on the GDPR because we are a global-facing company and because the standards it sets protect individuals while simultaneously allowing us to deliver the best results for our customers. Complying with GDPR means that we:
  • Respect data subject rights to access, rectification, portability, and deletion
  • Secure information with an eye toward state of the art in technology
  • Make transparency, accountability, and trust a central component of our operations
  • Practice privacy by design and data minimization
If you want to know more about how we treat data under GDPR, please see our privacy policy, available at https://www.soundingboardinc.com/privacy-policy/.
Cross-Border Data Transfers
Complying with GDPR means ensuring that data is transferred out of the EU in accordance with established principles and procedural/technical safeguards. We rely on the Standard Contractual Clauses to transfer data from the EU and, in rare instances, with direct consent from data subjects. All data that leaves the EU is subject to heightened scrutiny and protection, and our obligations are rigorously enforced as set out in the SCCs.

Compliance

Today’s technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies in an environment of increasingly complex security threats. Companies are also responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.

Security Compliance Program
Sounding Board maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorized access to our customers’ data. The specifics of our security program are detailed in our third-party security audits and international certifications.
SOC 2

Sounding Board holds both SOC 2 Type I and Type II certifications. SOC 2 Compliance is a set of standards that organizations use to demonstrate the security, availability, processing integrity, confidentiality, and privacy of their systems and data. It is a widely recognized and adopted information security framework that helps organizations build trust and credibility with their customers, partners, and stakeholders. Reports are an independent assessment of our control environment performed by a third party and are available by request.

Bridge the Leadership Gap

Bridge leadership gaps with the most flexible, customizable solution on the market.