Security
Last updated on July 2, 2026.
Access controls
The production system should gate owner, editor, commenter, and viewer access through server-side board capabilities.
Public routes should avoid recording raw share tokens, passwords, or access tokens in receipts, logs, or analytics.
Storage boundaries
Metadata, board documents, binary assets, export artifacts, sessions, and billing records should have explicit ownership and retention rules.
Operational proof
Trust sections should be backed by real proofs: preview deploys, read-only share checks, export-download gates, and billing entitlement receipts.