// Trust & Security Report
Edistorm Inc.
Stormboard — data-first digital whiteboard and collaborative workflow platform; sub-products include StormAI (Azure OpenAI-backed AI co-collaborator), Stormboard for Agile (Jira/Azure DevOps/Rally integrations), and Single Tenant Edition for enterprise data residency
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on stormboard.com“Stormboard has been certified by an independent auditor and complies with the requirements of Service Organization Control (SOC) 2 Type II certification. The SOC 2 Report is a standard auditing report governed by the American Institute of Certified Public Accountants (AICPA). If you would like more information on this report please contact sales@stormboard.com.”
Verify on stormboard.com“Your privacy is important to us, all data collected and stored follows GDPR compliance. We have appointed EU and UK Representatives under Article 27 of the EU GDPR and UK GDPR, respectively. We will ensure that any transfer of Personal Information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission.”
> Show 9 unconfirmed / not-held certifications
source: learn.microsoft.comStormboard self-attested to Microsoft 365 App Compliance Program: 'Is the app International Organization for Standardization (ISO 27001) certified? No' (attestation date November 9, 2023). Not mentioned on trust center.
source: learn.microsoft.comStormboard self-attested to Microsoft 365 App Compliance: 'Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A'. Not mentioned on trust center or privacy policy.
source: stormboard.comStormboard uses Stripe for all payment processing, which means that we never store any of your credit card data. PCI compliance belongs to Stripe, not Stormboard. Microsoft self-attestation: 'Do you carry out annual PCI DSS assessments against the app and its supporting environment? N/A'.
source: learn.microsoft.comStormboard self-attested to Microsoft: 'Does the app comply with International Organization for Standardization (ISO 27017)? No'.
source: learn.microsoft.comStormboard self-attested to Microsoft: 'Does the app comply with International Organization for Standardization (ISO 27018)? N/A'. No mention on trust center.
source: learn.microsoft.comStormboard self-attested to Microsoft: 'Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No'.
source: learn.microsoft.comStormboard self-attested to Microsoft: 'Has the app been Cloud Security Alliance (CSA Star) certified? No'.
source: stormboard.comNo public evidence on trust center, product pages, or privacy policy. Not mentioned in Microsoft 365 App Certification self-attestation.
source: learn.microsoft.comVendor claims Type II, not Type I. Microsoft self-attestation confirms Type II only. SOC 1 explicitly listed as N/A in Microsoft attestation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
Canada and USA by default. Enterprise Single Tenant Edition offers choice of: Canada, USA, Ireland, Germany, UK, France, Japan, Singapore, Australia, India.
StormAI explicitly does not train AI models on customer data: 'StormAI isn't used to train AI models.' Customer data sent to StormAI (powered by Microsoft Azure OpenAI Service) may be retained by the AI service partner for up to 30 days for debugging and misuse investigation only. A PII filter toggle is available for team administrators to redact personal information before transmission. Google Workspace API data is explicitly excluded from AI/ML model training. StormAI is an optional feature that can be disabled at the account level. NOTE: Microsoft Azure OpenAI Service does not appear in Stormboard's publicly listed sub-processors page as of the assessment date, which is a transparency gap.
// Security controls
Encryption in transit
TLS with strong ciphers and protocols by default for all data transfer to and from Cloud services
stormboard.comEncryption at rest
Data encrypted at rest; level depends on subscription tier. StormAI data encrypted at rest on Microsoft Azure dedicated single instance.
stormboard.comPenetration testing
Annual minimum; contracted to certified third-party security professionals for penetration test and web application vulnerability tests. Quarterly vulnerability scanning confirmed per Microsoft self-attestation.
stormboard.comHosting
Amazon Web Services (AWS) with Multi-AZ deployments and Auto Scaling Groups for high availability and redundancy
stormboard.comMulti-factor authentication
2FA available to all Stormboard users via authenticator app. MFA also enabled for code repositories, credentials, and DNS management per Microsoft self-attestation.
stormboard.comBackups
Fully redundant storage with nightly full system offsite backup (multi-tiered backup approach)
stormboard.comIntrusion detection
IDPS deployed at network perimeter; continuous monitoring for data breaches and anomalies with instant staff alerts
learn.microsoft.comAccess controls
Principle of least privilege; background checks and signed confidentiality agreements for all employees; formal provisioning, modification, and deletion processes for employee accounts
stormboard.comIncident response
Formal documented incident response process; data breach notification within 72 hours per GDPR (confirmed in Microsoft self-attestation). Incidents tracked by operations management until resolved.
stormboard.comPayment security
All payment processing via Stripe; Stormboard stores no credit card data. PCI compliance is Stripe's responsibility.
stormboard.comChange management
Formal change management process; all production changes risk-assessed, logged, approved, and peer-reviewed before deployment. Secure coding practices follow OWASP Top 10.
learn.microsoft.com// Products & data scope
data: Text, ideas, comments, votes, images, sketches, videos, documents, links posted to Storms. Personal information of users (name, email, company). Data stored on AWS in chosen region.
Storms are private by default, accessible only to explicitly invited users. Enterprise customers get additional privacy and access controls. Stormboard is the data processor; the customer is the data controller.
data: Storm content sent to Microsoft Azure OpenAI Service for AI processing. PII filter available to redact personal data before transmission. Data retained by Azure OpenAI for up to 30 days.
Optional feature; can be disabled at account level. Does not train AI models on customer data. Accessible to Storm Administrators and Contributors only (not guests). Azure OpenAI is not listed in the public sub-processors page - a transparency gap.
data: Bidirectional sync with Jira, Azure DevOps, and Rally. Sprint data, backlog items, estimations, and dependencies.
Live integrations; data mirrored between Stormboard and third-party tools. Users should review those tools' privacy policies separately.
data: All Stormboard data in a dedicated single-tenant environment in the customer's chosen geographic region.
Available regions: Canada, USA, Ireland, Germany, UK, France, Japan, Singapore, Australia, India. Designed for customers with regulatory or data residency requirements.
// What to watch
- SOC_2_STALENESS: SOC 2 Type II is claimed on the trust page but the most recent independently documented certification date is 2023-01-01 (per Stormboard's own self-attestation to Microsoft, submitted November 2023). No evidence of a 2024 or 2025 renewal was found. As of June 2026 the report may be over three years old. Procurement teams should request the current SOC 2 report directly from sales@stormboard.com to verify active certification.
- SUBPROCESSOR_GAP: StormAI is powered by Microsoft Azure OpenAI Service, but that provider does not appear in Stormboard's publicly listed sub-processors page (which lists AWS, HubSpot, Stripe, Zapier, Google, Bugsnag, SendGrid, Slack, Microsoft Corp. (generic), Maxio, Totango). The AI inference provider may be covered under the generic 'Microsoft Corp.' entry, but this is ambiguous. Customers should request a clarified sub-processor list before using StormAI with sensitive data.
- NO_ISO_27001: Stormboard explicitly confirmed no ISO 27001 certification in its Microsoft 365 App Certification self-attestation (November 2023). Vendors targeting regulated enterprise sectors typically hold this certification.
- HIPAA_NA: Vendor marked HIPAA as N/A in self-attestation. Not suitable for processing PHI or healthcare data without a Business Associate Agreement (BAA), which does not appear to be offered.
- NO_PUBLIC_DPA: No standalone publicly downloadable Data Processing Agreement was found. GDPR compliance is articulated through the privacy policy (EU/UK representatives, SCCs for EEA transfers) and a sub-processors list, but enterprise customers requiring a formal signed DPA should request one directly. The enterprise Customer Agreement may include DPA terms but this is not publicly confirmed.
- CREDENTIALS_IN_CODE: Stormboard self-attested to Microsoft 'Does your app store any credentials in code? Yes'. This is a security concern; procurement teams should ask for clarification on what credentials and what controls are in place.
// At a glance
Pricing model
Freemium (free personal plan) + paid team/enterprise subscriptions; enterprise includes custom terms, SLA, and quarterly business review
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Edistorm Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
stormboard.com