Login

Volunteer-run Boards

Charities, Sports, Housing Associations and more

Small & Medium businesses

Perfect for any size and type

Partners & Resellers

Find out more about our partnership options

Our Platform

Explore our range of features

Board Meeting Portal

Risk Register toolkit

Action Register and Document store

Director Academy

Trial Governance360

Start a free trial in less than 12 minutes

More about Governance360

Pricing Plans

Find a Partner

Board Meeting Portal

Run better board meetings

Risk Register

Manage and mitigate risk

Action Register

Build board accountability

Director Academy

Upskilling Directors

All Features

Platform overview

Trial Governance360

Start your free trial today

About Governance360

Pricing Plans

Start Free Trial

Information Security Policy

Information Security Policy Statement

Last Updated: 28 October 2025
Effective Date: 28 October 2025

Our Commitment to Information Security

At Governance360, we take the security of your information seriously. This policy explains how we protect your business data, our platform, and the learning content in our Academy through robust technical, organisational, and physical security measures.

  1. What This Policy Covers

This Information Security Policy applies to:

  • Our Governance360 platform subscription service
  • Our Director Learning Academy and all course modules
  • All customer data, business information, and personal data we process
  • Our employees, contractors, and service providers who handle your information

Plain English Note: This policy covers everything we do with your data – whether you’re using our main platform or buying Academy courses.

  1. Our Security Principles

We are committed to maintaining the confidentiality, integrity, and availability of all information entrusted to us.

Confidentiality

We ensure that your information is only accessible to authorised personnel who need it to provide our services to you.

Integrity

We protect your information from unauthorised alteration, deletion, or corruption.

Availability

We maintain our systems so that you can access your data and our services when you need them.

Plain English Note: These three principles mean: we keep your data private, accurate, and available when you need it.

  1. How We Protect Your Information

3.1 Encryption and Secure Communications

From the moment you start using Governance360, all activity you have with us (and with your fellow board members when using the platform) is protected by encryption.

  • SSL/TLS Encryption: All data transmitted between your browser and our servers uses Secure Sockets Layer (SSL) technology, ensuring that all data passed between the web server and browsers remains private and secure
  • Encryption Standards: Our SSL certificates use SHA-256 with 2048-bit encryption to protect your data – amongst the most secure measures currently available
  • Encryption at Rest: Data stored in our systems is encrypted using industry-standard encryption methods
  • Modern Protocols: We use TLS 1.2 or higher for all secure communications

Plain English Note: Encryption scrambles your data so unauthorised people can’t read it. We encrypt everything – both when it’s being sent over the internet and when it’s stored on our servers. Think of it like putting your data in a locked safe that only authorised people have the key to.

3.2 Access Controls and Authentication

  • Role-Based Access: Access controls ensure staff can only access information necessary for their specific role
  • Multi-Factor Authentication (MFA): We enable users to use 2 Factor Authentication when signing in to the app and strongly recommend that they do. We offer the choice of mobile, email, or authenticator app-based 2FA
  • Administrative Security: Multi-factor authentication is required for all administrative access to our systems
  • Automatic Sign-Out: Our app will sign out automatically if there is no activity logged on the site for three hours after you log in
  • Browser Session Management: The Governance360 web app will log out when you leave the browser you are logged in with after three hours on inactivity

Plain English Note: We restrict who can access what, and we strongly encourage using 2FA (where you need both your password and a code from your phone or email to log in). We also automatically log you out after 30 minutes of inactivity to protect your account if you forget to log out.

3.3 Password Security Standards

For your own security, we enforce strong password requirements:

  • Minimum Requirements: Passwords must be at least 10 characters with a mixture of letters, numbers, and punctuation characters when you create an account on Governance360
  • Validation Checks: We enforce these requirements with automatic validation when you first register with the application
  • Unique Passwords: We recommend the use of a unique password (external password manager applications such as Roboform or LastPass may help you here)
  • No Simple Passwords: The application will not allow a ‘simple’ password to be used by an account holder. Our apologies if you find it frustrating, but we believe that your security should come first

Plain English Note: Strong passwords are your first line of defence. Yes, we make you use complex passwords – it might be annoying, but it keeps your account secure. Consider using a password manager to help you create and remember strong, unique passwords.

3.4 Network Security and Monitoring

  • Firewalls: Multi-layered firewall protection on all network boundaries
  • Intrusion Detection: Real-time monitoring systems detect and alert us to suspicious activity
  • Security Monitoring: Continuous monitoring of our systems for potential threats
  • VPN Requirements: We require our internal staff to operate a VPN when working outside of known secure networks, for example in public access WiFi spaces

Plain English Note: We have multiple layers of protection watching our systems 24/7, looking for anything suspicious. Our staff must use VPNs (secure connections) when working from public WiFi to prevent eavesdropping.

3.5 Virus and Malware Protection

  • Desktop Security: We work with a third-party security specialist to ensure our desktop estate is as secure as it can be, including industry-leading virus detection and malware detection software which is enforced at all times
  • Database Protection: We operate virus scanning software on the database infrastructure to reduce risks when storing key documents and information
  • Regular Updates: Security software is kept up to date with the latest threat definitions

Plain English Note: We use professional-grade antivirus and anti-malware software on all our systems, and it’s always running and always up to date.

3.6 Secure Development Practices

  • Security Testing: Security testing is integrated into our software development process
  • Code Reviews: Regular security-focused code reviews
  • Vulnerability Management: Proactive identification and remediation of security vulnerabilities

Plain English Note: We build security into our software from the start, not as an afterthought. Every update is tested for security issues before release.

3.7 Data Backup and Recovery

  • Regular Backups: Your data in the app is stored and backed up off-site daily by our sub-processors
  • Geographic Redundancy: Your personal data is stored and backed up off-site daily for recovery from disasters in data centres in the UK and US to enhance the delivery of our service
  • Automatic Saving: Your data is saved on a regular basis during your use of the app, so if you’re logged out due to inactivity, you should find that your progress is ready at the place at which you left it
  • Disaster Recovery: Comprehensive disaster recovery procedures to restore services in the event of a major incident

For more information about the companies that help us provide these services, please see our Sub-Processors Policy.

Plain English Note: We back up your data every day and store copies in multiple locations (UK and US data centres). If something goes wrong, we can restore your data. The app also saves your work regularly as you go.

3.8 Organisational Security Measures

Staff Vetting and Training

  • Pre-Employment Screening: Staff and, where appropriate, external contractors are cleared prior to working with us by our Human Resources department
  • Comprehensive Checks: Our checks include (in no particular order) proof of identity, proof of right to work, and proof of residency
  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements
  • Security Training: All employees receive information security training upon joining and are trained on a regular basis as to the importance of these policies and procedures
  • Annual Reviews: Internal Human Resources policies are reviewed annually

Data Access Controls

  • Need-to-Know Basis: Only employees with the necessary rights and roles can access our data centre facilities and underlying data
  • Limited Customer Data Access: Customer data is accessed on an as-needed-only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance
  • Audit Trails: We maintain logs of who accesses what data and when

Plain English Note: We carefully check everyone who works for us before they start, make them sign confidentiality agreements, and train them regularly. We also strictly limit who can access your data – staff can only see it if they need to for their job or if you’ve asked us to help with a support issue.

3.9 Third-Party Security Management

  • Due Diligence: Thorough security assessment of all service providers before engagement
  • Contractual Requirements: All sub-processors must meet rigorous security standards equivalent to our own obligations
  • Ongoing Monitoring: Regular reviews of sub-processor security and compliance

For a complete list of our sub-processors and their security credentials, please see our Sub-Processors Policy.

Plain English Note: We don’t just trust any company with your data. We carefully check them out, make them sign strict contracts, and keep monitoring them to ensure they maintain high security standards.

3.10 Physical Security Measures

  • Tier-Certified Data Centres: Our infrastructure is hosted in professionally managed, tier-certified data centres with 24/7 physical security
  • Environmental Controls: Fire suppression, climate control, and power redundancy systems
  • Access Controls: Controlled access with biometric authentication and video surveillance
  • Geographic Separation: Backup data stored in geographically separate locations

Plain English Note: Your data lives in professional data centres with round-the-clock security guards, backup power supplies, fire protection, and strict access controls – not in someone’s office cupboard.

  1. Financial Security

We take the security of your payment information extremely seriously.

Payment Processing

  • No Card Storage: Governance360 never stores your credit card details on our platform, nor do we want to
  • SSL-Protected Payments: If you pay for your services directly through our store using your credit card, all payments are made over SSL connections, not logged or stored in our systems
  • PCI-Compliant Partners: Dependent on your choice of payment method, payments are processed by:
  • Invoice Payments: If you choose to pay in advance via invoice, payments are processed manually using Stripe credit card functionality

Plain English Note: We never see or store your credit card details. Payments go directly to Stripe or GoCardless, both of which are certified secure payment processors. This means even if our systems were compromised, your payment information would be safe because we simply don’t have it.

  1. Compliance and Standards

We comply with:

  • UK GDPR and Data Protection Act 2018: All processing complies with UK data protection law
  • Electronic Commerce (EC Directive) Regulations 2002: For our online services
  • Computer Misuse Act 1990: We implement controls to prevent unauthorised access
  • PCI-DSS Requirements: Through our payment service providers
  • Industry Best Practices: Including guidance from the National Cyber Security Centre (NCSC)

We work towards alignment with recognised security frameworks including ISO 27001 information security management standards.

Plain English Note: We follow UK law and recognised international standards for data security. This isn’t just best practice – it’s a legal requirement, and we take it seriously.

  1. Your Responsibilities

Security is a partnership. To help us keep your information secure, we ask that you:

Account Security

  • Keep your login credentials confidential and do not share them
  • Use strong, unique passwords (minimum 10 characters with letters, numbers, and punctuation)
  • Enable multi-factor authentication – we strongly recommend this
  • Notify us immediately if you suspect unauthorised access to your account

Access Security

  • Ensure your own devices and networks are secure when accessing our services
  • We strongly recommend you do not use public WiFi to access the application
  • Our platform is only accessible through SSL protocols, but we cannot be held responsible for how you access the internet
  • Follow any security guidance we provide

Academy Content

  • Do not share your login credentials with others
  • Respect the intellectual property protections on course materials

Plain English Note: Security is a team effort. Please keep your passwords private and strong, turn on 2FA, and avoid using our platform on public WiFi. We do our part to keep things secure, but you need to protect your end too.

  1. Academy Products and Content Security

For our Learning Academy:

  • Course content is protected by access controls and digital rights management
  • Once a module is opened or started, it cannot be refunded as it’s a digital product that has been consumed
  • We monitor for unauthorised sharing or distribution of course materials
  • Purchased modules remain accessible to you according to your licence terms

Plain English Note: Academy courses are digital products. Once you’ve started one, we can’t offer refunds because you’ve already accessed the content – like downloading a film. We protect course content from unauthorised sharing.

  1. Data Retention and Disposal

What We Keep and Why

  • Minimum Data Principle: We store the minimum amount of data required to provide our services as outlined in our Privacy Policy
  • Customer Data: Customer data is held by Governance360 for the purposes of our accounting records and fiscal duties, either within our CRM system or our financial system, both of which are GDPR compliant
  • Payment Information: Credit card details are only stored by PCI-compliant service partners (Stripe and GoCardless) as noted above

Secure Disposal

  • When data is no longer needed, it is securely deleted using industry-standard methods
  • Backup data is subject to secure disposal once retention periods expire
  • We maintain records of data disposal for audit purposes

Plain English Note: We don’t hoard data. We only keep what we need for as long as we need it, and when we’re done with it, we delete it properly using secure methods – not just pressing delete but ensuring it can’t be recovered.

  1. Security Incidents

In the event of a security incident:

Our Response

  • Incident Response Plan: We have an Incident Response Plan that is tested regularly
  • Immediate Action: We will investigate promptly and take steps to contain and remediate the incident
  • Regulatory Notification: Where required by law, we will notify affected customers and the Information Commissioner’s Office (ICO) within 72 hours
  • Customer Communication: We will provide clear information about what happened, what data was affected, and what steps you should take

Reporting Security Concerns

If you suspect a security incident or have security concerns, please contact us immediately at:

Email: dataprotection@governance360.com

Plain English Note: If something goes wrong, we have a plan. We’ll investigate, fix it, and tell you (and the regulator if required by law) what happened and what we’re doing about it. If you spot something suspicious, please tell us straight away.

  1. Regular Reviews and Testing

We continuously improve our security through:

  • Annual Policy Reviews: This policy and all security controls are reviewed at least annually
  • Vulnerability Assessments: Regular vulnerability scanning and assessment
  • Penetration Testing: Independent security testing by qualified third parties
  • Security Audits: Periodic audits by independent security specialists
  • Threat Monitoring: Continuous monitoring of emerging threats and updating defences accordingly
  • Lessons Learned: Reviews of incidents and near-misses to improve our defences

Plain English Note: We don’t sit still. We regularly test our security, bring in external experts to try to break in (ethically!), and update our defences as new threats emerge. We learn from every incident to get better.

  1. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. Significant changes will be communicated to customers via email or platform notifications.

Plain English Note: If we change this policy, we’ll let you know – especially if it’s something important.

  1. Contact Us

Concerns

Email: dataprotection@governance360.com

General Enquiries

Address: Board Secure Ltd t/a Governance360, C/o Alacrity Foundation, Moderator Wharf, Newport, NP20 1HG

Regulatory Authority

You have the right to raise concerns with the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113

Plain English Note: Got questions or concerns? Get in touch. You can also complain directly to the ICO (the UK’s data protection regulator) at any time – you don’t have to contact us first, though we’d like the chance to help resolve any issues.

Definitions

Platform Subscription Service: Your organisation’s subscription to access the Governance360 platform (typically for one-year periods).

Director Learning Academy: Our product-based learning business offering individual course modules that, once started or opened, cannot be refunded.

Personal Data: Information relating to an identified or identifiable living individual.

Data Controller: The entity that determines the purposes and means of processing personal data (usually your organisation for data you upload to our platform).

Data Processor: The entity that processes personal data on behalf of the controller (Governance360 when processing your data).

Sub-Processor: A third-party data processor engaged by Governance360 to process service data on our behalf.

SSL/TLS: Secure Sockets Layer/Transport Layer Security – encryption protocols that protect data transmitted over the internet.

Multi-Factor Authentication (MFA/2FA): A security process requiring two or more verification methods to access an account.

Related Policies

This Information Security Policy Statement should be read alongside:

Note: By using our Services, you acknowledge that you have read, understood, and agree to this Information Security Policy Statement. If you do not agree, please discontinue use of our Services immediately and contact us to discuss your concerns.

This Information Security Policy Statement forms part of our contractual commitment to customers and demonstrates our adherence to UK data protection law and information security best practices for B2B SaaS providers operating in the United Kingdom.