Security
We take the protection of your business and your clients\u2019 data seriously. Our practices are designed around recognised information-security principles (including those underpinning ISO 27001) and UK GDPR.
Encryption in transit
All traffic is served over HTTPS/TLS. Data moving between your browser, our application and our database is encrypted.
Password protection
Passwords are stored only as salted cryptographic hashes — never in plain text. A strength policy (8+ characters with letters, numbers and a special character) is enforced.
Access control
Multi-tenant isolation keeps each business’s data separate. Sessions are signed, role-scoped (owner, staff, platform admin) and time-limited.
Secure payments
Card payments and subscriptions are handled by Stripe, a PCI-DSS Level 1 provider. We never see or store full card numbers.
Data minimisation
We collect only what’s needed to run the service, and provide tools to export and permanently erase individual records on request.
Reputable infrastructure
Hosting and database run on established cloud providers with their own physical and network security and certifications.
Backups & resilience
Managed database backups support recovery. Automated jobs are designed to fail safe and retry.
Least privilege & logging
Administrative actions are restricted, and security-relevant events are logged for monitoring.
To report a security concern, please use the Contact page. We welcome responsible disclosure.