I used to think all board portals were basically the same. Then I saw a board pack with confidential M&A notes being shared over plain email, and I started checking every vendor like a paranoid security engineer on espresso, starting from simple things like SSL on their [homepage](https://techworldexpert.com/) and ending up down rabbit holes of certificates and cipher suites.
If you just want the quick answer: three board portal providers that take SSL encryption seriously and put it front and center are Diligent Boards, BoardEffect, and OnBoard. All three use HTTPS with valid TLS certificates, support modern encryption protocols, and design their products around secure access for directors and administrators. The real difference is how deep they go with encryption, authentication, and admin controls beyond the basic “lock in the browser bar.”
Why SSL (TLS) Matters So Much For Board Portals
People throw around “SSL” a lot, but what board portals actually rely on is TLS (Transport Layer Security). SSL is the older name. Everyone still says it. Security engineers wince a little inside.
For board portals, TLS is not a nice-to-have. Boards see:
– M&A plans
– Executive compensation
– Legal risk assessments
– Cybersecurity incidents
– Strategy leaks that can move a stock price
Without strong TLS:
– An attacker on a public Wi-Fi network could spy on a director reviewing board papers.
– Session cookies could be stolen and used to impersonate a director.
– Login credentials could leak, and attackers could get portal access.
If your board portal does not enforce HTTPS with modern TLS across every page, it is not suitable for serious board work. Full stop.
Here is where people often make a mistake: they look for a padlock icon in the browser, see “https://” and feel done. But modern SSL/TLS security needs more than that.
What “Good SSL” Looks Like For A Board Portal
Before getting into specific providers, it helps to define what strong SSL/TLS actually means in this context.
- HTTPS enforced everywhere: No HTTP fallbacks, no mixed-content warnings, and automatic redirects to HTTPS.
- Modern TLS versions only: TLS 1.2 and TLS 1.3 enabled, with older protocols (like SSLv3, TLS 1.0, TLS 1.1) disabled.
- Trusted certificates: Certificates issued by a well-known CA, with correct hostname matching and non-expired certificates.
- Strong cipher suites: No old ciphers like RC4 or 3DES, preference for forward secrecy ciphers (ECDHE).
- HSTS (HTTP Strict Transport Security): Tells browsers to never use HTTP at all for that domain.
- Secure cookies: Session cookies marked Secure and HttpOnly, with sane expiration and SameSite flags where possible.
You do not need to show your board a cipher list. But someone in IT or security should test the portal with tools like:
– Qualys SSL Labs server test
– SecurityHeaders.com
– Browser developer tools
You want the board portal vendor to be at least as careful as your own security policies require for internal apps.
If your organization has a strong security baseline, your board portal should not be an exception just because it is for executives.
Now, let us look at three providers that treat SSL and encryption as core, and not as marketing decoration.
1. Diligent Boards: Enterprise-Grade SSL With A Heavy Compliance Focus
Diligent is one of the biggest names in the board portal space. Large enterprises, financial services, and public companies use it. That scale brings scrutiny from security teams, which pushes Diligent to keep its encryption posture strong.
How Diligent Handles SSL / TLS
Here is what you typically see when you examine Diligent’s platform from a TLS perspective:
- Always-on HTTPS: The portal enforces HTTPS and redirects HTTP requests to secure versions of the page.
- TLS 1.2 and TLS 1.3: Older insecure protocols are disabled, which aligns with modern browser standards and compliance expectations.
- Modern cipher suites: Focus on forward secrecy (ECDHE-based suites) with AES-GCM, which is what you want for sensitive content.
- Valid CA-issued certificates: Trusted, regularly renewed, with correct certificate chains configured.
- HSTS support: Configuration that instructs browsers to always speak HTTPS with the portal domain.
This means the basic browser-to-portal connection is well protected. But if you stop at “browser lock looks good,” you miss the stronger story.
Encryption Beyond SSL: Data At Rest And In Transit
Board content is not only at risk while in transit. It sits on servers, backups, and sometimes on devices.
Diligent usually combines SSL/TLS with:
– Encryption of documents at rest on servers
– Encrypted storage for notes and annotations
– Encrypted channels for push notifications and app traffic on mobile
You can usually get specifics (key management approach, key lengths, cloud region choices) under NDA in a security whitepaper or via a security questionnaire.
Good SSL is table stakes. What sets a serious board portal apart is how it protects content at rest and on every device where it lives.
Authentication And Access Controls
SSL protects the connection. It does not decide who is on each side. Diligent pairs TLS with:
| Security Feature | How It Helps Boards |
|---|---|
| Single Sign-On (SAML / OIDC) | Lets you tie board access to corporate identity systems like Azure AD or Okta. |
| Multi-factor authentication (MFA) | Reduces risk of portal access from stolen passwords. |
| Granular role controls | Directors see only the committees and documents they actually need. |
| Device management settings | Admins can force PINs, biometrics, and set wipe rules on the mobile app. |
This is where Diligent fits well for regulated sectors or large organizations with formal security policies.
Who Diligent Boards Fits Best
Diligent tends to make sense if you:
- Run a listed company or a large private group with heavy regulatory expectations.
- Have an internal security team that will run a thorough review of vendor practices.
- Need strong audit trails and reporting for compliance, not just convenience.
If you are a smaller nonprofit or a mid-size company, Diligent can feel heavy. It is powerful, but it is not always the simplest option for lean teams. Still, from a TLS and encryption perspective, it is one of the more mature options.
2. BoardEffect: Strong SSL For Mission-Driven Organizations
I have seen a lot of nonprofits and member-based organizations start with shared folders and email, then move to BoardEffect when something sensitive goes wrong. Often after a near-miss.
BoardEffect focuses a lot on governance and ease of use for boards that do not always have a full IT department behind them. Security, including SSL, still has to be solid, but the admin experience needs to be approachable.
SSL / TLS Implementation In BoardEffect
When you inspect BoardEffect’s platform from a TLS standpoint, you will usually find:
- Full-site HTTPS: Login, document views, e-votes, and admin areas all run over secure connections.
- Modern TLS: Support for TLS 1.2+ with deprecation of older versions, matching browser standards.
- Strong certificates: Standard CA-issued certificates with proper hostname coverage and chain configuration.
- No mixed content: Interface resources (scripts, styles, assets) are loaded over HTTPS to avoid downgrade or injection risks.
For non-technical teams, the nice part is you do not have to touch any of this. You just get a secure-by-default portal without managing certificates or dealing with SSL configuration.
Data Security Features That Matter Alongside SSL
BoardEffect tends to pair SSL/TLS with features that close common gaps seen in community and nonprofit boards, such as:
| Feature | Why It Matters |
|---|---|
| Encrypted document storage | Meeting packets, policies, and board books are protected at rest on the vendor’s side. |
| Granular sharing | Helps stop over-sharing sensitive items to observers or non-voting attendees. |
| Role-based permissions | Committees, executives, and external advisors can be limited to their area only. |
| Audit logs | Shows who accessed or modified important board materials and when. |
Many boards think “we are small, no one will target us.” That is not how attackers think. They look for weak links with valuable data.
Nonprofits often hold personal data, health data, or funding information. So an SSL-secure, encrypted board portal is not a luxury; it is quiet risk control.
Authentication, SSO, And Access Policies
BoardEffect sits in an interesting middle ground. It has:
– Support for single sign-on in higher tiers
– Good password policies and session controls
– Optional multi-factor authentication
Larger nonprofits or education boards can integrate identity systems, but smaller organizations can still operate safely with built-in controls.
If you adopt BoardEffect, I would still recommend:
- Enforcing multi-factor authentication for all directors.
- Creating named accounts for each user, never sharing logins.
- Reviewing access rights at least once a year, especially after member turnover.
Who BoardEffect Fits Best
BoardEffect is a strong candidate if:
- You are a nonprofit, association, educational board, or health-related board.
- You need strong SSL encryption and secure document handling without heavy internal IT support.
- You want governance features (meetings, voting, evaluations) integrated with secure board materials.
If your organization is very large with strict internal security practices, you might eventually grow into something more enterprise-heavy, but many organizations stay with BoardEffect for years without outgrowing it.
3. OnBoard (by Passageways): Modern UX With Solid TLS Security
OnBoard started getting traction with companies that cared about both UX and security. Boards were tired of clunky tools, but IT teams were tired of ad-hoc solutions.
When you look at OnBoard, its public materials and technical behavior show a clear focus on TLS and encryption as part of the core design, not as an afterthought.
OnBoard SSL / TLS Security Posture
From a TLS perspective, OnBoard usually checks the main boxes:
- Universal HTTPS: Every part of the portal, from login to agenda views, runs over HTTPS.
- TLS 1.2 / 1.3 support: Older, weak protocol versions are disabled in favor of current standards.
- Modern cipher suites: ECDHE-based key exchange and AES-GCM encryption are typically prioritized.
- Correct certificate handling: Valid CA-signed certs with clean chains and no obvious misconfigurations.
From the browser perspective, this translates into a clean padlock, no mixed-content warnings, and good scores in standard SSL tests.
End-to-End Security Design
OnBoard markets itself around encryption fairly often, and not only at the TLS layer. Features you will often see highlighted:
| Security Element | What It Covers |
|---|---|
| Encryption in transit | SSL/TLS between user devices and the OnBoard servers. |
| Encryption at rest | Document storage, notes, attachments stored encrypted on disk. |
| Protected annotations | Director notes are encrypted so that personal comments stay private. |
| Data center security | Hosting in reputable cloud environments with physical and logical controls. |
Good board security is a stack: TLS, device controls, identity controls, and careful design of how documents move between them.
Authentication, SSO, MFA, And Conditional Access
OnBoard tends to appeal to IT teams because it plays well with identity management:
– Support for SSO through providers like Azure AD and Okta
– Multi-factor authentication options
– Admin-controlled password and session policies
– Content-specific access rules for committees and user types
For organizations already invested in identity management, this is a way to keep board access under the same umbrellas as other corporate systems.
Who OnBoard Fits Best
OnBoard usually works well for:
- Mid-size to large companies with some IT/security maturity.
- Organizations that want a cleaner UX than old-school portals but still need strong TLS, encryption, and SSO.
- Private equity portfolio companies, professional services firms, and modern nonprofits.
It may feel like overkill if you are a very small board with only a few members, but if you plan to grow or if you already have compliance expectations, that is not a bad thing.
How To Verify SSL Encryption For Any Board Portal
Even if a provider claims “we use strong SSL encryption,” do not just accept the line. Security-related marketing is often vague. You do not need to be a deep security expert to run basic checks.
Step 1: Check The Browser Connection
Open the portal login page and:
- Ensure the URL starts with “https://”.
- Click the padlock icon in your browser address bar.
- Check that the certificate is valid, issued to the correct domain, and not expired.
- Look for information about the encryption protocol (usually listed as TLS 1.2 or TLS 1.3).
If you see warnings like “connection not secure” or “certificate invalid,” that is a red flag for a production board portal.
Step 2: Run An SSL Test
Use a tool like Qualys SSL Labs (public and free) to scan the portal domain:
- Enter the portal URL (or the login subdomain) into the SSL test tool.
- Review the grade. A or A+ is good; B or below deserves questions.
- Check for:
- Supported protocols: You want TLS 1.2 and ideally TLS 1.3.
- Disabled weak protocols/services: SSLv3, TLS 1.0, TLS 1.1 should be off.
- Supported ciphers: Look for strong ciphers with forward secrecy.
If a board portal vendor scores poorly on an SSL test, it is fair to ask them why and when they will fix it.
Step 3: Ask Direct Security Questions
Here are questions your security or IT team can send to any board portal vendor:
- Which TLS versions are enabled on your production systems?
- Which cipher suites do you support, and how do you choose your preferred ones?
- Do you enforce HTTPS for all application pages?
- Do you support HSTS (HTTP Strict Transport Security)?
- How do you handle certificates and certificate renewal?
If the vendor avoids concrete answers or sends back only marketing language without detail, be cautious.
Comparing The 3 SSL-Focused Board Portals Side By Side
No vendor is perfect for every board. Here is a simple comparison focused on TLS and related security posture, not on every feature.
| Provider | TLS / SSL Strength | Data Encryption Beyond TLS | Identity & Access Controls | Best Fit |
|---|---|---|---|---|
| Diligent Boards | Strong TLS 1.2/1.3, HSTS, tight config | Yes, strong focus on encrypted storage and secure workflows | Enterprise SSO, MFA, detailed admin policies | Public companies, large private groups, regulated sectors |
| BoardEffect | Secure TLS deployment, HTTPS everywhere | Encrypted document storage and logs | Good role and password controls; SSO on some plans | Nonprofits, associations, education and community boards |
| OnBoard | Strong TLS 1.2/1.3, secure cipher choices | Encryption at rest, protected annotations | Modern SSO, MFA, and policy control | Mid-size and large organizations wanting modern UX with security |
Where Boards Still Go Wrong, Even With SSL
Here is the uncomfortable part. You can pick a portal with strong TLS and still end up exposed because of user behavior and policy gaps.
Common Mistakes That Undermine SSL
- Sharing logins between directors: SSL does not help if four people use the same account.
- Downloading sensitive PDFs to personal devices: Once a file is on an unprotected laptop, TLS is no longer protecting it.
- Weak personal email accounts: If password resets route through a compromised email account, attackers can walk in.
- No mandatory MFA: Single-factor accounts are an easy target, even with TLS in place.
- Printed board packs left lying around: Encryption does not help physical documents left on desks or in hotel rooms.
SSL encryption protects the road. If you leave the car unlocked at the destination, the trip security does not matter much.
Policies That Make Your Portal Safer
No vendor can fix policy on your behalf. Some simple measures make a big difference:
- Require multi-factor authentication for every board portal user.
- Prohibit account sharing in your board charter or governance guidelines.
- Set clear rules on downloading and printing sensitive content.
- Schedule periodic access reviews with the company secretary or IT.
- Offer short security awareness refreshers for directors once a year.
Even experienced directors sometimes need reminders. Many of them learned board work before digital portals were a thing.
How To Choose Between Diligent, BoardEffect, And OnBoard
If you have narrowed your search to these providers because you care about SSL and encryption, the choice usually comes down to your context, not just technical features.
Questions To Ask Yourself And Your Team
- What is our regulatory exposure? Financial services, healthcare, and listed companies usually lean toward Diligent or OnBoard.
- How strong is our internal IT support? Smaller teams often find BoardEffect easier to run with.
- Do we already use SSO everywhere? If yes, test SSO integration as part of your pilot with each vendor.
- How tech-comfortable is our board? That should influence UX decisions, not just security architecture.
Try to involve:
– The company secretary or equivalent role
– Someone from IT or security
– A couple of directors who will be daily users
Do not let the decision be made on a single demo attended only by one function.
Run A Short Pilot, Not Just A Demo
A demo is a sales story. A pilot is closer to reality.
For each vendor that looks promising:
- Ask for a test environment.
- Have directors log in from laptops and mobile devices.
- Ask IT to run TLS and security tests against the test portal.
- Test account creation, removal, and permission changes.
Again, keep encryption and SSL in focus, but do not ignore everyday friction. A portal that is secure but unused does not improve your risk profile.
Why SSL Alone Is Not Enough (But Still Non‑Negotiable)
There is a small trap here. Once people learn about TLS, cipher suites, and SSL Labs scores, they sometimes think that is the whole story. It is not.
SSL/TLS is:
– A necessary foundation
– Visible and testable
– One of the simpler parts to audit from the outside
But board security also rests on:
- Vendor hosting practices and incident response.
- Access reviews and offboarding when directors leave.
- Data retention rules and deletion policies.
- Use (or neglect) of MFA and SSO.
So yes, you want a provider like Diligent, BoardEffect, or OnBoard that gets SSL right. Just do not treat the padlock as the end of your homework.
