Where it lives, how long we keep it.
Our stance: UK/EU hosting only, no transfers outside the bloc, encryption at rest and in transit, and retention windows you can verify against the audit log.
Hosting
- Database: Neon Postgres in
EU-west-2(London). - Document storage: Cloudflare R2 in an EU bucket. Right-to-work documents, certifications, and uploaded evidence are stored here.
- Compute: Vercel Edge / Node functions; the EU regions are preferred for tenant request routing where available.
No transfers outside UK/EU
Personal data does not leave the UK/EU in normal operation. If a sub-processor introduces a non-EU dependency in future we'll (a) update the sub-processors page, (b) ensure the transfer is covered by appropriate safeguards (IDTA / standard contractual clauses), and (c) email customers where consent is required.
Encryption
- In transit: TLS 1.2 minimum on every public endpoint. HSTS on the production host.
- At rest: managed encryption by the storage providers (Neon, R2). Document blobs are also pre-encrypted with platform-managed keys where they contain sensitive personal data.
- Secrets: never committed to source control. CI checks block accidental commits of likely-secret patterns.
Retention windows
- Audit log, security events: seven years. (Sign-in failures, MFA challenges, impersonation, two-person approval workflows, privileged administrative operations.)
- Audit log, read events: ninety days.
- Active account data: retained for the lifetime of your account.
- Deleted-account data: purged within thirty days of deletion request, except where statutory record-keeping (tax, right-to-work) requires longer retention.
- Billing data: retained for six years after the relevant tax year, in line with HMRC requirements.
Access controls
- Postgres row-level security gates every read and write to the current tenant. The database is the enforcement boundary, not just the app.
- Destructive or cross-tenant operations require two-person approval. Single-actor irreversible operations are not possible.
- Admin impersonation of a customer account is logged and time-boxed; the impersonation banner is visible to the admin for the entire session.
Incidents
We notify affected customers and the ICO within 72 hours of becoming aware of any personal-data breach that meets the reporting threshold. Internal incident playbooks are documented under our security policy.
Related
See also the privacy policy, sub-processors, and trust & verification pages.