Security & Trust
Procurement-grade disclosure, written without marketing fluff
Designed for the security and procurement teams who read these pages closely. Transparent on what is in place versus what is in progress.
In progress
SOC 2 Type II
Audit period commenced June 2026. Type II report targeted Q4 2026.
Alignment commenced
ISO/IEC 27001
Information security management system aligned to Annex A controls. Certification targeted Q2 2027.
Aligned from day one
UK GDPR
ICO-registered DPO, UK data residency by default, sub-processor list published.
Encryption
- AES-256 encryption at rest (managed KMS)
- TLS 1.2+ in transit, modern cipher suites only
- Per-tenant data isolation with logical separation
- Customer-managed keys available on Enterprise tier
Access control
- Principle of least privilege across all systems
- MFA enforced for all internal access — phishing-resistant where possible
- Named-access audit log retained for 7 years
- Quarterly access reviews against role baselines
Data residency & sub-processors
- UK data residency by default (London region)
- EU residency available for cross-border deployments
- Sub-processor list maintained publicly
- 30-day notice on sub-processor changes
Incident response
- 24/7 on-call rotation
- Customer notification within 72 hours of confirmed incident
- Post-incident report with root-cause and remediation
- Annual tabletop exercise with named external counsel
Insurance
Cyber, Professional Indemnity and Employer's Liability cover in place. Certificates available to customers under NDA on request.
Sub-processors
Maintained and version-stamped. Customers receive 30 days' notice of changes.
| Sub-processor | Purpose | Region |
|---|---|---|
| AWS (London) | Primary hosting & storage | UK |
| AWS KMS | Key management | UK |
| Stripe | Billing & subscription | UK / EU |
| Postmark | Transactional email | EU |
| PostHog (EU) | Privacy-first product analytics | EU |
| Auth provider (Clerk / Auth0) | Authentication | EU |
Request a security questionnaire
SIG-Lite, CAIQ or custom. Returned within five working days under NDA.