Boring, deliberate, documented.
Exactly how security should be. Here's how we look after your data.
Tenant isolation
Every customer's data is isolated at the database layer through row-level security policies tied to their organisation. Your records aren't reachable by another customer.
Recorded compliance actions
Key compliance actions — renewals, sign-offs, document acknowledgements, and ID and right-to-work checks — are recorded with the user, timestamp and outcome.
Role-based access
Access is enforced both in the app and in the database. Workers only see their own records, managers see their direct reports, and admins see only what their role permits.
AI with a human in charge
AI drafts, summarises and classifies; it never takes an irreversible action without human sign-off. AI features are powered by Google Gemini models accessed via Lovable AI Gateway. We don't use your data to improve our own models.
Hosting & encryption
Hosted on Supabase (AWS) in the Europe (Ireland) region. All traffic is encrypted in transit with TLS, and data is encrypted at rest by our hosting provider.
UK GDPR
We act as processor for your people data. Our DPA, privacy policy and sub-processor list are public, in plain English.
Certifications
We don't yet hold formal certifications such as Cyber Essentials or ISO 27001. We'd rather tell you that plainly than imply otherwise. What we will do is answer any security questionnaire you send us, fully and quickly.
Questions, or a security questionnaire to send?
We welcome due-diligence requests — send them over and we'll reply fully and quickly.