Security & compliance

Your data is the point. We treat it like it.

"Owning your software" only matters if owning it actually means owning it. Here's exactly where your data lives, who can see it, and which frameworks we follow when we build for you — written in plain English, no logos-on-a-wall.

At a glance

Data residency

UK or EU regions. You pick at kickoff.

Database

Postgres on Neon (EU-West, Frankfurt) or AWS RDS in eu-west-2 (London) for regulated clients.

Application hosting

Vercel — Fluid Compute in eu-west regions. Static assets via Vercel's edge.

Encryption in transit

TLS 1.3 everywhere. HSTS preloaded.

Encryption at rest

AES-256 on Postgres and all backups. Secrets managed via Vercel + 1Password.

Backups

Daily point-in-time recovery, 7–30 days depending on plan. Restorable to any minute.

DPA

GDPR-compliant Data Processing Agreement signed before code lands.

Sub-processors

Listed by name in our DPA. Currently: Vercel, Neon, Resend, Sentry. Any change ≥30 days notice.

Why a custom build can be more secure than the SaaS

The big SaaS vendors will hand you a SOC 2 report and a logo wall. What they won't hand you is a clear answer to "exactly which of your employees can read our customer records?" or "when do you delete this data after we cancel?". With a bespoke rebuild:

✓
Your data never leaves your tenants
We don't multi-tenant your data with other clients. Your Postgres cluster, your S3 bucket, your env vars. Different from every SaaS you're replacing.
✓
No vendor 'internal access' mystery
Production access is logged via Vercel and Neon audit logs. We can (and do) hand the access policy to your auditor.
✓
No surprise sub-processors
We commit our sub-processor list in writing. SaaS vendors quietly add LLM providers, support tools and CDN partners — you own that decision now.
✓
Real, enforceable deletion
When a customer asks for erasure, 'DELETE FROM …' runs in your database — not a feature request to a vendor PM.
✓
GDPR Article 28 made simple
One processor (us), one DPA, one set of obligations. Compare to stitching together five SaaS DPAs whose sub-processor lists keep changing.

Frameworks we build to

We're a studio, not a fortune-500 vendor — we build the software to your compliance bar, not the other way round. That means we follow the controls behind these frameworks even when an annual audit isn't in scope for your build.

ISO 27001 / 27017 / 27018

We map every project to the Annex A controls. Access control, cryptography, supplier security, incident management — all documented per build. We can hand the matrix to your auditor.

SOC 2 (Type I and II)

The codebase ships with the artefacts SOC 2 expects: audit logs, backup runbooks, encryption documentation, RBAC, change-management via PR review. If you need a formal report, we coordinate with your CPA.

UK GDPR & EU GDPR

Lawful basis documented, data minimisation by default, retention policies in code, subject-access and erasure flows baked in. Standard Contractual Clauses and a UK-EU Addendum on file for cross-border transfers.

OWASP ASVS Level 2

Web application security verification at level 2 is our baseline — auth, session, input handling, dependency hygiene, logging. We run automated dependency scans (Dependabot) on every repo.

PCI DSS (when payments touch us)

We default to SAQ-A — payments handled by Stripe or your processor, we never touch card numbers. If your scope requires more, we scope and isolate the card-data plane separately.

NHS DSPT / HIPAA-like (on request)

For healthcare clients we've worked through NHS Data Security and Protection Toolkit submissions. HIPAA equivalents handled by architecture, not by sticker.

We don't claim certifications we don't hold. If a tender requires a current ISO 27001 or SOC 2 Type II report from us, the honest answer is: we'll work with your existing audited cloud provider (Vercel, Neon, AWS) and a named CISO partner — happy to walk through the structure on a call.

Running it in production

Logging & audit

Application logs to Vercel + Sentry. Database mutations have an immutable audit table by default. SSH/console access on Neon and AWS uses short-lived credentials via SSO.

Monitoring & uptime

Uptime monitoring via BetterStack or Vercel monitoring with a public status page. Production incidents trigger PagerDuty (or your tool) and a post-mortem within 5 working days.

Disaster recovery

RPO ≤ 5 minutes, RTO ≤ 4 hours on the standard plan. Tested twice a year against a clean restore; the playbook is in your repo.

Vulnerability management

Dependabot on every repo. CVEs triaged within 72 hours; critical ones in 24. Annual third-party pen test for production builds — scope and findings shared with you.

Access & RBAC

Engineers on your build use SSO (Google or Microsoft) with WebAuthn 2FA. Production access requires a named approver. Breakglass accounts logged separately.

Secrets

Environment variables on Vercel; long-lived secrets in 1Password with shared vaults per project. No secret ever lands in git — we run gitleaks pre-commit.

Documents we can share

Email us and we'll send any of these — usually same-day.

✓Standard DPA (UK GDPR + EU SCCs)
✓Sub-processor list with locations
✓Information Security Policy
✓Business Continuity & DR plan
✓Security questionnaire (SIG-Lite / CAIQ)
✓Pen-test summary (most recent)
✓Vercel SOC 2 attestation (hosting)
✓Neon SOC 2 attestation (database)

Security review or questionnaire?

Send your questionnaire or just tell us the framework you need to satisfy. We'll respond with the right artefacts and the gaps we can close before the build kicks off.

Send a security or compliance request

DPA, sub-processor list, SIG-Lite — say what you need.

Or just go back to the calculator and we'll bring this up on the kickoff call.