security overview

Security by design. Honest about posture.

Tenant isolation enforced in the database, not just the app. Role-based access control with an audit log on every decision. UK-hosted on equipment we own — your data stays in the UK, under a UK security perimeter.

Procurement downloads Speak to a security engineer

tenant isolation

Your data stays your data.

// 01

Two layers, not one.

Most platforms enforce tenant boundaries in the application. We enforce them in the application and in the database. If one fails, the other holds.

// 02

Audited, every query.

Every read and write writes to an audit log — who, when, and what they were allowed to see. Audit log retention scales with your tier, up to 7 years on Business and beyond on Enterprise.

// 03

Tested by people who break things for a living.

Penetration tests run against the live platform on every major release, with results published to customers under NDA. The implementation detail is open to your security engineers — ask, and we'll walk through it.

compliance posture

What's certified, and what's in scoping.

Framework	Status	Last reviewed	Next milestone
UK GDPR · DPA 2018	Operational	12 April 2026	Annual DPIA refresh
Cyber Essentials	Operational	2 March 2026	Annual recertification
ISO 27001:2022	In scoping	22 April 2026	Stage 1 audit · Q3 2026
SOC 2 Type II	Planned	—	Observation period · 2027
DORA (regulated finserv)	In scoping	6 May 2026	Compliance suite · live now

for procurement

The paperwork you'll be asked for.

Security overview · architecture brief Data Processing Agreement (DPA) Sub-processor list Incident response runbook Disaster recovery and backup plan Audit log and retention specification

Run a security review before the pilot.

Book the review Pricing