Encryption at Rest
All documents and sensitive data are encrypted using AES-256 encryption, the same standard used by banks and government agencies.
Security & Privacy
Your data security and privacy are our top priorities
How We Protect Your Data
Secure Transmission
All data transmitted between your browser and our servers is protected by TLS 1.3 encryption over HTTPS connections.
Role-Based Access Control
Owner, Admin, Manager, Moderator, Auditor, Staff, and Member roles ensure team members only see information relevant to their responsibilities.
Audit Trails
Comprehensive logging of all actions, including who accessed what data and when. Audit logs are immutable and retained according to your plan.
Secure Cloud Storage
Customer data is stored in managed cloud infrastructure with encryption, access logging, backup controls, and GDPR-aligned processing safeguards.
Security Review Programme
We maintain security review controls, audit evidence, and vulnerability-management workflows. Independent test evidence is tracked before any certification or test-completion claim is made.
Our Privacy Principles
Data Minimization
We only collect and store data necessary for providing our service. You control what employee information you add to the system.
Purpose Limitation
Your data is used solely for providing HR and compliance record-keeping services. We never sell or share your data with third parties for marketing purposes.
Transparency
Our Privacy Policy clearly explains what data we collect, how we use it, and your rights. We notify you of any material changes.
User Control
You can export your data at any time and request deletion of your account. We provide tools to help you comply with data subject access requests.
Tamper-Resistant Evidence
Immutable Audit Logs
Audit entries are protected from update/delete operations and cryptographically chained so changes can be detected.
Hashed Document Evidence
Every uploaded document, export, and evidence pack is hashed and versioned, with signed manifests for integrity checks.
Auditor Safe-Access
External auditors can be invited as read-only users with all access logged, ensuring safe, transparent reviews.
Compliance Standards
GDPR
Full compliance with EU General Data Protection Regulation and UK GDPR requirements.
ISO 27001
Information security management practices aligned with ISO 27001 standards.
Data Protection Act 2018
Compliance with UK Data Protection Act 2018 requirements for processing personal data.
Additional Security Measures
Signed URLs
All document access uses time-limited signed URLs that expire after a short period, preventing unauthorized access even if a URL is intercepted.
Regular Backups
Your data is backed up daily to geographically distributed locations. Backups are encrypted and tested regularly to ensure data can be restored if needed.
Incident Response
We maintain a comprehensive incident response plan and will notify affected users within 72 hours of discovering any data breach, as required by GDPR.
Staff Training
All SponsorSafe HR team members undergo regular security and privacy training. Access to production systems is strictly controlled and logged.