How Certified Infrastructure and Client-Side Encryption Protect Your Data

· · Daniel A

How Certified Infrastructure and Client-Side Encryption Protect Your Data

Learn how SimplyBoard layers SOC 2 certified infrastructure with AES-256-GCM client-side encryption to protect every byte of your data.

Most productivity tools ask you to trust them with your data. They promise security in vague blog posts and bury the details in legal fine print. We think trust should be verifiable, not aspirational.

SimplyBoard takes a two-layer approach to security: certified infrastructure handles the physical and operational security of the platform, while client-side encryption ensures that even the infrastructure itself can't read your content.

Neither layer alone is sufficient. Together, they create a security model where your data is protected from external threats, internal access, and regulatory overreach simultaneously.

Layer 1: The Infrastructure

SimplyBoard is built on infrastructure that holds three major security certifications. These aren't decorative badges · they represent ongoing, audited compliance with some of the strictest standards in the industry.

SOC 2

Continuous third-party auditing of security controls, availability, and confidentiality practices.

ISO 27001:2022

International standard for information security management systems, covering risk assessment and treatment.

GDPR Compliant

Full compliance with the EU General Data Protection Regulation, including data subject rights and processing controls.

What SOC 2 Actually Means

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of CPAs. An independent auditor verifies that security practices are consistently followed, not just documented · covering areas like access control, encryption at rest, network monitoring, incident response, and change management.

It's the same standard used by major financial institutions and healthcare providers.

What ISO 27001:2022 Adds

ISO 27001 is the international gold standard for information security management. The 2022 revision introduced updated controls for cloud security, threat intelligence, and data leakage prevention. The infrastructure SimplyBoard runs on has been certified against this standard, meaning its security management system is independently verified.

Where SOC 2 focuses on operational controls, ISO 27001 takes a broader view · it requires a systematic approach to risk management across the entire organization, from hiring practices to disaster recovery.

Layer 2: Client-Side Encryption

Infrastructure certifications protect the platform. But what about the people who operate it? What about government requests? What about a rogue employee or a sophisticated breach that bypasses every control?

This is where client-side encryption comes in. Every entry you create in SimplyBoard is encrypted with AES-256-GCM in your browser before it ever reaches our servers. The encryption key is derived from your password using Argon2id, a memory-hard key derivation function (64 MB memory, 3 passes).

Zero-Knowledge Model

Your password never leaves your device. The encryption key is derived locally, used to encrypt your entries, and then used to wrap a master key stored on the server. Without your password, the master key · and your data · are indecipherable. We couldn't read your entries even if we wanted to.

This means that even in the worst-case scenario · a complete server compromise · an attacker would only obtain encrypted ciphertext. Without each user's individual password, the data is computationally useless.

Why Both Layers Matter

You might wonder: if everything is encrypted client-side, why bother with infrastructure certifications? Or conversely, if the infrastructure is SOC 2 compliant, why encrypt at the client level?

Each layer addresses different threat vectors:

ThreatInfrastructureEncryption
External hacker✅ Blocked✅ Unreadable
Insider access⚠️ Audited✅ Unreadable
Legal subpoena⚠️ Must comply✅ Only ciphertext
Physical theft✅ Encrypted at rest✅ Unreadable
DDoS / availability✅ Mitigated· (N/A)

Infrastructure certifications ensure the platform stays online, monitored, and operationally sound. Client-side encryption ensures that even when the infrastructure is compromised, your data remains private. Together, they close the gap that either approach leaves open alone.

What We're Transparent About

No security model is perfect. We believe transparency is the missing piece in most security marketing, so here's what we want you to know:

  • We use third-party infrastructure. SimplyBoard doesn't run its own data centres. We build on infrastructure that holds SOC 2, ISO 27001:2022, and GDPR certifications. The certifications belong to the infrastructure provider, not to SimplyBoard itself.
  • Metadata is visible. While your entry content is encrypted, we can see metadata: your email, timestamps, entry count, workspace names, and IP addresses in server logs.
  • Password loss means data loss. Because we use zero-knowledge encryption, there's no "forgot password" recovery for your encrypted content. If you lose your password, your entries are gone.
  • Search is client-side. Because the server can't read your data, all search and indexing happens locally in your browser. This is a deliberate trade-off for privacy.

The Technical Summary

  • Encryption: AES-256-GCM with per-entry random IVs
  • Key derivation: Argon2id · 64 MB memory, 3 passes, 4 lanes
  • Key wrapping: Master key wrapped with derived key, stored server-side
  • Infrastructure: SOC 2, ISO 27001:2022, GDPR certified
  • Data at rest: Encrypted by infrastructure + encrypted by client
  • Data in transit: TLS 1.3

Built for People Who Take Security Seriously

If you store API keys, server credentials, deployment scripts, or anything you wouldn't want on a billboard · SimplyBoard was built for you. We didn't bolt security onto a productivity tool. We built a security model and wrapped a productivity tool around it.

Industry-recognized infrastructure keeps the platform reliable and auditable. Client-side encryption keeps your content unreadable to everyone except you. Together, they create a system where trust isn't required · because the math handles it.

· The SimplyBoard Team