Data location
UK VPS hosted at Hostinger (London and Manchester datacentres). No cross-region replication in M1. A full disaster-recovery plan arrives with the M8 launch hardening phase.
How we treat your data .
Who we trust with your data, how we handle it, and our honest compliance roadmap. Dated targets, not fuzzy promises.
01 / Subprocessors
A small set of named vendors.
Every vendor touching your data is listed below, with what they do and where the data sits. Future vendors are flagged with the milestone that brings them online.
| Vendor | Service | Data category | Location | Status |
|---|---|---|---|---|
| Resend | Outbound email delivery | Contact form submissions, auto-replies | UK / EU (via AWS SES upstream) | Active |
| Hostinger | VPS + storage | All platform data (database, uploads, logs) | UK (London / Manchester) | Active |
| Anthropic | AI engine | Ticket content, KB articles | US | Planned (M5) |
| Stripe | Billing | Payment metadata | US / EU | Planned (M7) |
| Twilio | Voice / SMS channel | Call recordings, SMS content | US / UK | Planned (M4) |
02 / Data handling
How we handle your data.
Transit encryption
TLS 1.3 from client to nginx at the edge. nginx talks to the app over loopback only — no internet-reachable port other than 443.
At-rest encryption
Full-disk encryption on the VPS. Database files and uploaded attachments both sit on the encrypted volume.
Deletion policy
Thirty-day soft-delete, then purge. The policy becomes enforceable from Phase 6 (when the database ships) and applies to accounts, tickets, and uploaded files alike.
03 / Compliance roadmap
Dated targets, not fuzzy promises.
UK-GDPR + EU-GDPR
Aligned today.
SOC 2 Type I
Targeted for M8 launch.
ISO 27001
Post-launch roadmap.
SAML SSO + SCIM
Post-launch — M8+ for the enterprise tier.
We publish dated targets instead of fuzzy roadmaps. If a target slips, the next revision of this page will explain why.
Questions? Talk to us .
Security questionnaires welcome. We answer them in the open.