[ Security ]

Defaults that match
your security review.

Security isn't a paid add-on. RBAC, 2FA, encryption, audit logs, and WAF protection ship enabled on every plan.

Encryption

All traffic over TLS 1.2+. Passwords hashed with bcrypt (12 rounds). Integration API keys encrypted at rest with AES-256.

Role-based access

Six customer-side roles (Owner, Admin, Editor, Reviewer, Developer, Viewer) and six staff roles, enforced on every API route — never client-side.

Two-factor authentication

TOTP-based 2FA available on all customer accounts. Required for staff. Backup codes coming with the next release.

Audit logging

Every staff action, every shadow-login session, every 2FA event, every login attempt is written to an immutable audit log retained for 12 months.

Edge protection

Enterprise WAF, DDoS mitigation, bot-check on auth forms, rate limiting on all auth endpoints.

Staff access controls

Staff dashboard is gated behind a Zero Trust access gateway. Shadow login requires a typed reason and triggers an immediate notification to all Super Admins.

Backups

Postgres point-in-time recovery on EXERAX Cloud Infrastructure. Daily off-site snapshots of media storage. Tested restore procedures.

Hosting region

All customer data hosted in the UK and EU. No US-region storage of personal data.

Last updated: 11 May 2026

Responsible disclosure

Found a security issue? We'd love to hear from you. Email [email protected] with the details. Our PGP key is available on request.

What we ask:

  • Give us a reasonable window to respond and fix before public disclosure.
  • Don't access data that isn't yours, and don't run automated scanners against production.
  • Don't test denial-of-service or social-engineering vectors against staff.

What you can expect:

  • An acknowledgement within 2 working days.
  • A triage decision within 5 working days.
  • Public credit, if you want it.
  • A bounty for material findings — we evaluate severity case by case.

Compliance

We're built to SOC 2 Type II controls and are currently working through formal certification. UK GDPR and EU GDPR compliant. We sign DPAs on request — write to [email protected].

Service status

Live uptime, incident history, and component health are available on our status page.

For procurement teams

We can supply a security questionnaire response, our latest penetration test summary (under NDA), insurance certificates, and a sub-processor list on request. Write to [email protected] and CC your account manager if you have one.