Privacy Policy & Security

Introduction

At Painboard, we are committed to maintaining the trust and confidence of our clients and visitors to our web service. In this Privacy Policy, we provide detailed information on when and why we collect personal information, how we use it, the limited conditions under which we may disclose it to others, and how we keep it secure.

Data Privacy Commitment

Painboard considers data privacy an integral part of our operations. We understand the importance of your personal information and are committed to processing it responsibly and in compliance with applicable data protection laws.

Data Collection

When you start using our service, you can choose which data sources will be ingested into the platform. We respect our customers' autonomy in determining how their data is structured and managed within our platform. We provide several methods for data submission:

  • Third-Party APIs: With the customer's permission, we can receive data through secure, authenticated connections with other software systems the customer uses.

  • Automated Data Feeds: Customers may also set up automatic transfers of data into our platform, which requires appropriate configuration on their part to ensure the feeds work smoothly with our systems.

  • Email: Customers can send their data to us via email by attaching files to messages sent to specific email addresses we designate.

Our policies for protecting and handling data are designed to be robust, and we are committed to maintaining the security and confidentiality of the data entrusted to us throughout the collection and use process.

Data Processing and Structure

All incoming data is standardized into a uniform structure. Our scanning procedures are designed to identify and expunge any Personally Identifiable Information (PII) to help protect your privacy. In addition, customers can customize their data ingestion processes through configuration options.

Data Retention Policy

We do not persistently store any customer data prior to the completion of PII removal protocols. Your data is only recorded in the Painboard system after this cleansing process, ensuring that only non-personal data is retained.

Protection of Customer Data

Painboard is committed to never selling or renting your data or sharing it with third parties for their own marketing purposes. We respect your information and only use it as necessary to deliver and improve our services, or as otherwise described in this Privacy Policy.

International Data Transfers

To align with international data protection regulations, Painboard enters into a Data Processing Addendum (DPA) with its customers that encompasses suitable legal transfer mechanisms, helping to ensure data protection across borders. Painboard utilizes AWS as its primary infrastructure subprocessor and has executed a DPA with AWS to support compliance with GDPR and CCPA requirements.

Data Security Infrastructure

Painboard employs a multi-layered security architecture designed to safeguard customer data throughout its lifecycle. Our platform is hosted on Amazon Web Services (AWS) within the United States, leveraging AWS’s industry-leading security, reliability, and compliance standards.

We implement security controls across the following areas:

Infrastructure Security

  • All systems are hosted within AWS Virtual Private Clouds (VPCs) with restricted network access.
  • Access to infrastructure components is governed by the principle of least privilege and enforced through role-based access controls (RBAC).
  • Administrative access requires multi-factor authentication (MFA) and is continuously monitored.

Data Security

  • Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 or AWS-managed KMS keys.
  • No raw customer data is stored until PII removal is completed; PII-containing data is held only ephemerally during processing.
  • Strict data minimization rules ensure we store only what is necessary to provide our service.

Application Security

  • We perform continuous monitoring for anomalous activity, intrusion attempts, and insecure behaviors.
  • Our authentication and authorization layers are designed to prevent unauthorized access to customer data.

Operational Security

  • Painboard maintains internal security policies covering access control, device management, incident response, and employee training.
  • We conduct periodic reviews of our security posture and partner only with subprocessors that meet or exceed our security requirements.

Compliance

  • AWS infrastructure used by Painboard meets a broad range of compliance standards, including SOC 2, ISO 27001, and others relevant to cloud hosting environments.
  • Painboard aligns its internal security practices with modern industry standards and follows best practices for secure software development and data protection.
  • Customer data are processed and hosted on trusted third-party providers (such as AWS) that maintain industry-recognized security and compliance certifications.

Data Deletion Request

After the termination of our agreement with any customer, Painboard will process a data deletion request upon receiving a written request from the customer. The deletion of customer data from production systems will commence within 30 days of our receipt of your written request and will typically be completed within 3 to 4 weeks thereafter.

Data Subject Rights

At Painboard, we recognize that the data processed on our platform remains the exclusive property of our clients, who act as data controllers. We do not determine the purposes and means of processing that data; instead, we act as a data processor and custodian on behalf of our customers.

In keeping with our privacy principles, our systems are designed so that identifiable information is not retained. Before any customer data is stored on the Painboard platform, it undergoes a process designed to scrub or mask any Personally Identifiable Information (PII).

Our customers, as data controllers, are equipped with the necessary means to oversee their users' data requests within their own systems. Individuals (data subjects) should direct their inquiries or exercise their data protection rights to the customer handling their data.

Should Painboard receive any data subject requests pertaining to customer data, our protocol is to guide the individual to approach the relevant customer directly. Our customers are responsible for addressing such requests in accordance with applicable data protection laws.

We are committed to providing our customers with reasonable support to facilitate their compliance with these laws, where feasible and within the scope of our obligations under our service agreement with them.

Changes to our Privacy Policy

We may update this Privacy Policy periodically and will provide notice of any significant changes to the way in which we treat personal information.

Contact Information

Should you have any questions about this Privacy Policy, our data handling practices, or your dealings with the Painboard platform, please contact us at:

Email: privacy@jimulabs.com

Your privacy and data protection are of the utmost importance to us. We’re dedicated to being transparent about what we do with the information you entrust to us and to protecting it to the best of our ability.

Last updated: November 13, 2025