Board portal security: what every nonprofit should demand

Why board security is not optional

Board materials are among the most sensitive documents any organisation produces. Financial statements, strategic plans, executive compensation details, legal advice, merger discussions, personnel matters, donor information, and confidential reports all flow through the board on a regular basis. A breach of board materials can trigger regulatory penalties, legal liability, reputational damage, and a loss of trust from stakeholders.

Despite this, many nonprofit boards handle their most sensitive materials with remarkably little security. Board packs are emailed as unencrypted PDF attachments. Sensitive documents sit in shared Google Drive folders with outdated permissions. Former directors retain access to current board materials months or years after their terms end. Financial reports are forwarded to personal email accounts and downloaded to unmanaged personal devices.

These practices are not malicious -- they are habitual. They persist because boards have not historically had access to affordable, purpose-built tools that provide proper security. But affordable board management software is now widely available, and there is no longer any excuse for treating board security as an afterthought.

This article outlines the security features, certifications, and practices that every nonprofit board should demand from its board portal vendor.

The threat landscape for boards

Understanding the threats helps clarify why specific security measures matter.

External threats

Board materials are attractive targets for malicious actors. Cybercriminals, hacktivists, and in some cases state-sponsored actors may target board materials for financial gain, competitive intelligence, or disruption. Phishing attacks targeting board members are increasingly common because directors often have weaker security practices than regular employees -- they use personal devices, personal email accounts, and they are not subject to the same IT policies as staff.

Internal threats

Not all threats come from outside. Disgruntled former directors, departing executives, or staff members with inappropriate access can expose sensitive board materials. The risk increases when access controls are weak and when there is no audit trail to detect or deter unauthorised access.

Accidental exposure

The most common security incidents are not attacks at all -- they are accidents. A director forwards a board pack to the wrong email address. A shared drive folder is accidentally made public. An attachment is sent to a personal email and ends up on an unsecured device. These accidents are mundane, but their consequences can be severe.

Essential security features

Encryption in transit and at rest

All data should be encrypted both when it moves between devices and servers (in transit) and when it is stored on the server (at rest).

In transit: Look for TLS 1.2 or later. This ensures that data travelling between a director's device and the board portal cannot be intercepted and read by third parties.

At rest: Look for AES-256 encryption or equivalent. This ensures that even if someone gains unauthorised access to the server's storage, they cannot read the data without the encryption keys.

Ask the vendor who controls the encryption keys. Some vendors manage the keys themselves; others offer customer-managed keys for organisations with stricter security requirements.

Two-factor authentication

Passwords alone are not sufficient protection for board materials. Two-factor authentication (2FA) adds a second layer of security by requiring something the user knows (their password) and something they have (a code from an authenticator app, a hardware token, or a biometric confirmation).

2FA should be mandatory for all users, not optional. If a platform offers 2FA but does not enforce it, directors will skip it, and your security is only as strong as the weakest link.

Look for support for authenticator apps (such as Google Authenticator or Microsoft Authenticator), hardware security keys (FIDO2/WebAuthn), and biometric authentication on mobile devices.

Role-based access controls

Not every user needs access to every document. Role-based access controls (RBAC) allow administrators to define permissions based on a user's role within the governance structure.

At a minimum, you should be able to:

Restrict committee materials to committee members only
Limit who can view, download, or print specific documents
Define roles such as chair, director, committee member, secretary, observer, and auditor
Create custom roles for your specific governance structure
Grant temporary access to advisors or guest presenters without giving them permanent access

The key test is granularity. Can you control access at the document level, not just the folder level? Can you distinguish between viewing and downloading? Can you restrict printing of sensitive materials?

Instant access revocation

When a director leaves the board, their access to all board materials should be revoked immediately. In a shared drive or email-based system, this is nearly impossible -- you cannot un-send emails, and you cannot easily remove access to forwarded or downloaded documents.

A board portal should allow an administrator to revoke a user's access across the entire platform with a single action. No more chasing down shared folder permissions or worrying about copies of board packs on former directors' personal devices.

Session management

Look for features that give administrators control over active sessions:

Automatic session timeout after a period of inactivity
Ability to terminate a specific user's session remotely
Single active session enforcement (preventing simultaneous logins from multiple locations)
Device management showing which devices a user has accessed the platform from

Document security controls

Beyond access controls, look for features that protect the documents themselves:

Watermarking: Dynamic watermarks that display the viewer's name on every page, deterring screenshots and unauthorised sharing.
Download restrictions: The ability to prevent users from downloading specific documents, limiting them to online viewing only.
Print restrictions: The ability to disable printing for sensitive materials.
Expiring links: If the platform generates shareable links, those links should expire automatically after a defined period.
Remote wipe: The ability to remotely remove board materials from a device if it is lost, stolen, or if the user's access is revoked.

Audit trails

A comprehensive audit trail records every significant action within the platform: who accessed which document, when, from which device, and what they did with it. Audit trails serve three purposes:

Detection: They allow administrators to identify unusual or unauthorised activity.
Accountability: They provide evidence of proper process for regulators, auditors, and stakeholders.
Deterrence: Users who know their actions are logged are less likely to mishandle sensitive materials.

Look for audit trails that are immutable (cannot be altered or deleted), comprehensive (covering all user actions), and exportable (for external audit purposes).

Security certifications and standards

Certifications are not a guarantee of security, but they indicate that a vendor has submitted to independent scrutiny and meets recognised standards.

ISO 27001

ISO 27001 is the international standard for information security management systems. A vendor with ISO 27001 certification has implemented a systematic approach to managing sensitive information, including risk assessment, security controls, and continuous improvement processes.

Ask for the certificate and check the scope. Some vendors hold ISO 27001 for their corporate operations but not for the specific platform you are evaluating.

SOC 2 Type II

SOC 2 (Service Organisation Control 2) is an auditing framework developed by the American Institute of CPAs. A SOC 2 Type II report evaluates the effectiveness of a vendor's controls over an extended period (typically six to twelve months) across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.

A SOC 2 Type II report is more rigorous than Type I because it tests controls over time, not just at a point in time. Ask for the report and check when it was issued -- a report from three years ago has limited value.

GDPR and privacy compliance

If your organisation handles personal data from European individuals, your board portal vendor must comply with the General Data Protection Regulation (GDPR). Even if your organisation is based outside Europe, GDPR can apply if any of your stakeholders, beneficiaries, or directors are in the EU.

Look for vendors that offer data processing agreements, provide clear documentation of their data handling practices, and support data subject access requests.

Local privacy legislation

For Australian organisations, ensure the vendor complies with the Privacy Act 1988 and the Australian Privacy Principles. For New Zealand organisations, the Privacy Act 2020 applies. Other jurisdictions have their own requirements. Ask the vendor which privacy frameworks they support and how they handle cross-border data transfers.

Data residency and sovereignty

Data residency -- where your data is physically stored -- is an increasingly important consideration for boards.

Why it matters

Different jurisdictions have different laws governing data access, privacy, and government surveillance. If your data is stored in a foreign country, it may be subject to that country's laws, which may conflict with your own jurisdiction's privacy requirements.

For Australian nonprofits, storing board materials on servers in Australia ensures that the data is governed by Australian law. Data stored overseas may be accessible to foreign governments under their domestic laws, which creates a compliance risk.

What to ask

Where are the primary and backup data centres located?
Can you guarantee that data will not leave a specific jurisdiction?
If data centres are in multiple countries, can you choose which jurisdiction your data is stored in?
What happens to data residency if the vendor is acquired by a foreign company?

Infrastructure security

Beyond the application itself, understand how the vendor secures its underlying infrastructure.

Cloud hosting

Most board portals run on cloud infrastructure provided by major platforms such as AWS, Azure, or Google Cloud. These platforms provide robust physical security, redundancy, and compliance certifications. But the vendor is still responsible for how they configure and manage their cloud environment.

Ask about:

Network security (firewalls, intrusion detection, DDoS protection)
Server hardening and patch management
Container security if the platform uses containerised architecture
Backup frequency and recovery procedures

Penetration testing

Regular penetration testing by independent security firms identifies vulnerabilities before malicious actors can exploit them. Ask the vendor:

How often do you conduct penetration tests?
Who performs them (in-house or independent third party)?
Can you share a summary of the most recent test results?
How are identified vulnerabilities remediated and verified?

Vulnerability management

A mature security programme includes continuous vulnerability scanning, a defined process for prioritising and patching vulnerabilities, and a track record of timely remediation.

Incident response

No security programme can prevent every incident. What matters as much as prevention is how the vendor responds when something goes wrong.

Incident response plan

Ask the vendor to describe their incident response plan:

How are incidents detected?
What is the escalation process?
What are the notification timelines? How quickly will you be informed?
Who is the point of contact for security incidents?
What is the post-incident review process?

Breach notification

Understand the vendor's obligations and commitments around breach notification:

What is the notification timeline? Many privacy laws require notification within 72 hours.
What information will be provided in the notification?
What remediation steps will the vendor take?
What support will the vendor provide to affected users?

Historical incidents

Ask whether the vendor has experienced any security incidents. A vendor that has never experienced an incident is either very fortunate or very new. What matters is how incidents were handled: transparently, promptly, and with clear remediation.

Security questions to ask every vendor

Before you commit to a board portal vendor, ask these questions:

What encryption is used for data in transit and at rest?
Is two-factor authentication mandatory for all users?
What role-based access controls are available?
How is access revoked when a director leaves the board?
What audit trail capabilities does the platform provide?
What security certifications do you hold, and when were they last renewed?
Where is data stored, and can you guarantee data residency?
How often do you conduct penetration testing, and by whom?
What is your incident response plan and breach notification timeline?
Can we review your SOC 2 Type II report or equivalent audit documentation?
Do you carry cybersecurity insurance?
What is your data retention and deletion policy?

Comparing board portal security to the alternatives

When evaluating the security of a board portal, compare it not to a theoretical ideal but to the alternative you are currently using.

Board portal vs. email

Email provides no encryption at rest, limited access controls, no audit trail for document access, no ability to revoke access after sending, and no protection against forwarding or downloading. A board portal is orders of magnitude more secure.

Board portal vs. shared drives

Shared drives (Google Drive, Dropbox, OneDrive) offer basic access controls but lack governance-specific features like role-based access, document watermarking, download restrictions, and comprehensive audit trails. Permissions are often set at the folder level, creating an all-or-nothing access model that does not suit governance. See our detailed comparison of board management software vs. Google Drive.

Board portal vs. paper

Paper board packs cannot be hacked remotely, but they can be lost, photographed, left on trains, or retrieved from recycling bins. Paper provides no audit trail, no access controls, and no ability to revoke access once distributed.

Security as a governance responsibility

Board security is not just an IT issue -- it is a governance issue. Directors have a fiduciary duty to protect the organisation's sensitive information. Using tools that do not provide adequate security is a governance failure, just as surely as failing to maintain proper minutes or track compliance obligations.

When boards invest in secure board management software, they are not just buying a tool -- they are fulfilling their duty of care. The compliance module in platforms like NFPHub complements this by ensuring that security policies are documented, reviewed, and maintained as part of the board's ongoing governance obligations.

Building a security-first culture in your board

Technology alone does not solve security problems. The most secure board portal in the world is undermined if directors use weak passwords, share login credentials, or discuss sensitive board matters on personal messaging apps.

Password policies

Require strong, unique passwords for board portal access. Encourage directors to use a password manager rather than reusing passwords from other services. The board portal is one of the most sensitive systems a director accesses, and it deserves a correspondingly strong password.

Device security

Advise directors on basic device security: keeping operating systems and apps updated, enabling device encryption, using screen locks, and avoiding public Wi-Fi for accessing board materials. These are not onerous requirements, but they significantly reduce the risk of unauthorised access.

Communication protocols

Establish clear protocols for how board business is communicated outside the portal. Discourage directors from discussing board matters via personal email, text message, or messaging apps where the conversation is not secure or auditable. The board portal should be the primary channel for all board-related communication.

Offboarding procedures

When a director's term ends or they resign, have a documented offboarding process that includes immediate revocation of portal access, return of any organisation-owned devices, and a reminder of ongoing confidentiality obligations. The faster and more systematic this process is, the lower the risk of post-departure data exposure.

Regular security reviews

Include a brief security review in the board's annual governance review. Confirm that access permissions are current, that departed directors have been removed, that two-factor authentication is enforced for all users, and that the vendor's security certifications are up to date.

Conclusion

Board portal security is not a technical afterthought -- it is a governance imperative. The sensitive nature of board materials demands security controls that general-purpose tools like email and shared drives simply cannot provide.

By demanding the security features, certifications, and practices outlined in this article, your board can operate with confidence that its materials are protected, its compliance obligations are met, and its directors' fiduciary duties are supported by appropriate technology.

For a comprehensive guide to evaluating board management software, including security and beyond, see our buyer's guide. And to see how NFPHub implements these security principles in practice, start a free trial today.