SITE VERIFIED
Data handling

Where it lives, how long we keep it.

Our stance: UK/EU hosting only, no transfers outside the bloc, encryption at rest and in transit, and retention windows you can verify against the audit log.

Hosting

  • Database: Neon Postgres in EU-west-2 (London).
  • Document storage: Cloudflare R2 in an EU bucket. Right-to-work documents, certifications, and uploaded evidence are stored here.
  • Compute: Vercel Edge / Node functions; the EU regions are preferred for tenant request routing where available.

No transfers outside UK/EU

Personal data does not leave the UK/EU in normal operation. If a sub-processor introduces a non-EU dependency in future we'll (a) update the sub-processors page, (b) ensure the transfer is covered by appropriate safeguards (IDTA / standard contractual clauses), and (c) email customers where consent is required.

Encryption

  • In transit: TLS 1.2 minimum on every public endpoint. HSTS on the production host.
  • At rest: managed encryption by the storage providers (Neon, R2). Document blobs are also pre-encrypted with platform-managed keys where they contain sensitive personal data.
  • Secrets: never committed to source control. CI checks block accidental commits of likely-secret patterns.

Retention windows

  • Audit log, security events: seven years. (Sign-in failures, MFA challenges, impersonation, two-person approval workflows, privileged administrative operations.)
  • Audit log, read events: ninety days.
  • Active account data: retained for the lifetime of your account.
  • Deleted-account data: purged within thirty days of deletion request, except where statutory record-keeping (tax, right-to-work) requires longer retention.
  • Billing data: retained for six years after the relevant tax year, in line with HMRC requirements.

Access controls

  • Postgres row-level security gates every read and write to the current tenant. The database is the enforcement boundary, not just the app.
  • Destructive or cross-tenant operations require two-person approval. Single-actor irreversible operations are not possible.
  • Admin impersonation of a customer account is logged and time-boxed; the impersonation banner is visible to the admin for the entire session.

Incidents

We notify affected customers and the ICO within 72 hours of becoming aware of any personal-data breach that meets the reporting threshold. Internal incident playbooks are documented under our security policy.

Related

See also the privacy policy, sub-processors, and trust & verification pages.

Powered byAddaeus