Security that holds up to a compliance review.

Hosting + encryption

• Application + database hosted in the UK / EU region (Vercel + Supabase). Database calls never leave UK / EU.
• All Postgres data encrypted at rest (AES-256 GCM, Supabase-managed keys).
• Client documents in object storage encrypted at rest with a firm-scoped envelope key; the calc engine never sees PII.
• Auth credentials and session cookies are HTTP-only, Secure-cookie-flagged; no password storage in our DB (magic-link + Google OAuth via Supabase Auth).

Access + isolation

• TLS 1.3 on every public endpoint; HSTS preload list.
• Row-level security (RLS) on every tenant-scoped table — your firm cannot read another firm's rows even if a code bug tried to. A nightly cross-firm probe asserts this in CI (BH-063).
• Per-route rate limits (calc, extraction, invites, sign-in) with Sentry-tagged 429s.
• Service-role keys live only in the Stripe-webhook + cron paths; never in user-facing routes.

Sub-processors

The full list with DPA links is in /privacy §4. Headline: Supabase (DB + storage, UK/EU), Vercel (hosting, European edge), Anthropic (extraction only, US, 30-day abuse window — see /privacy §2.3), Stripe (billing), Resend (transactional email), Sentry (errors, EU region), Vercel Web Analytics (anonymous page-views).

A signed Data Processing Agreement is available on request: /legal/dpa →

Breach notification

Under UK GDPR Art. 33 we notify the ICO of any personal-data breach within 72 hours of detection. Affected firms are notified directly within the same window where the breach is likely to result in a high risk to data subjects.

Report a suspected security issue: security@paraplanai.co.uk. We acknowledge within one business day.