Encryption at Rest
All documents and sensitive data are encrypted using AES-256 encryption, the same standard used by banks and government agencies.
Security & Privacy
Your data security and privacy are our top priorities
How We Protect Your Data
Secure Transmission
All data transmitted between your browser and our servers is protected by TLS 1.3 encryption over HTTPS connections.
Role-Based Access Control
Four distinct user roles (Owner, Admin, HR Staff, Auditor) ensure team members only see information relevant to their responsibilities.
Audit Trails
Comprehensive logging of all actions, including who accessed what data and when. Audit logs are immutable and retained according to your plan.
UK Data Centers
Your data is stored in secure, UK-based data centers that comply with GDPR and UK data protection regulations.
Regular Security Audits
We conduct regular security assessments, penetration testing, and vulnerability scans to identify and address potential risks.
Our Privacy Principles
Data Minimization
We only collect and store data necessary for providing our service. You control what employee information you add to the system.
Purpose Limitation
Your data is used solely for providing HR and compliance record-keeping services. We never sell or share your data with third parties for marketing purposes.
Transparency
Our Privacy Policy clearly explains what data we collect, how we use it, and your rights. We notify you of any material changes.
User Control
You can export your data at any time and request deletion of your account. We provide tools to help you comply with data subject access requests.
Tamper-Proof Evidence
Immutable Audit Logs
Audit entries are immutable and cannot be altered or deleted, creating a trustworthy record of access and changes.
Hashed Document Evidence
Every uploaded document is hashed and versioned, so evidence integrity can be verified during audits.
Auditor Safe-Access
External auditors can be invited as read-only users with all access logged, ensuring safe, transparent reviews.
Compliance Standards
GDPR
Full compliance with EU General Data Protection Regulation and UK GDPR requirements.
ISO 27001
Information security management practices aligned with ISO 27001 standards.
Data Protection Act 2018
Compliance with UK Data Protection Act 2018 requirements for processing personal data.
Additional Security Measures
Signed URLs
All document access uses time-limited signed URLs that expire after a short period, preventing unauthorized access even if a URL is intercepted.
Regular Backups
Your data is backed up daily to geographically distributed locations. Backups are encrypted and tested regularly to ensure data can be restored if needed.
Incident Response
We maintain a comprehensive incident response plan and will notify affected users within 72 hours of discovering any data breach, as required by GDPR.
Staff Training
All SponsorSafe HR team members undergo regular security and privacy training. Access to production systems is strictly controlled and logged.