Security & Data Protection

Your data, kept safe

How AI-Assist protects your business data — explained for the procurement person, the IT lead, and the business owner alike. We're honest about what we have, and honest about what we're still building.

Jump to a section

  1. 01.At a glance
  2. 02.How we encrypt your data
  3. 03.Where your data lives
  4. 04.Who can access your data
  5. 05.Authentication safeguards
  6. 06.Logging, monitoring, incident response
  7. 07.Vendors we work with
  8. 08.Compliance & certifications
  9. 09.What we don't have yet (and our roadmap)
  10. 10.How to report a security issue
  11. 11.Documents you can request

Section 1

At a glance

UK GDPR compliant

Built to UK GDPR + Data Protection Act 2018

ICO registered

Registration number ZC106782

Encrypted in transit & at rest

TLS 1.2+ for traffic, AES-256 for storage

Hosted in UK & EU

Vercel + Supabase EU regions

Audit logs on every privileged action

Role changes, billing changes, data exports — all logged

Strict fail-closed by default

No partial-success states for billing or access changes

The sections below explain each of these in more detail. We've also written about the things we don't yet have (Section 9) so you can make a fully-informed decision.

Section 2

How we encrypt your data

Everything that travels between your browser, our servers, and our database is encrypted using TLS 1.2 or higher. This is the same standard online banks use. Anyone listening on the network — even a coffee-shop wifi snooper — sees only meaningless ciphertext.

Once your data lands in our database, it's encrypted at rest using AES-256. This is the encryption standard the US government uses for top-secret information. Even if a physical disk were stolen from the data centre, the data on it would be unreadable.

Passwords are never stored in plain text. We use bcrypt with a strong work factor — passwords go in, irreversibly hashed values come out. Even AI-Assist staff can't see your password.

Section 3

Where your data lives

The application runs on Vercel (UK and EU edge regions for European traffic). The database lives on Supabase (EU region — Frankfurt, Germany). Your business data does not leave the UK / EU jurisdiction without explicit need.

For specific operations that require US-based services (e.g. AI conversation processing via Anthropic, payment processing via Stripe), we use Standard Contractual Clauses (SCCs) — the legal mechanism the EU and UK recognise for transfers outside the EEA. Full details in our Data Processing Policy.

Section 4

Who can access your data

Inside the platform, every database query is filtered by Row Level Security (RLS) — Supabase's built-in mechanism that ensures customers only see their own data, even if there were a bug elsewhere in the application. It's defence-in-depth: even if our application code had a flaw, the database itself would refuse to return data to the wrong customer.

Internally, we operate a strict role hierarchy. Only the founding CEO (Hassan) has database admin access. There are no shared credentials. We don't browse customer data without an explicit business need (e.g. a support ticket where you've asked us to look at a specific issue).

We do not sell, share, or rent your data to anyone. Ever. This is contractually guaranteed in our Data Processing Agreement.

Section 5

Authentication safeguards

When you create an account, we enforce:

  • 10-character minimum passwords (longer than most banks require)
  • HaveIBeenPwned check — your chosen password is checked against the world's largest database of breached passwords. If it's appeared in a known leak, we won't let you use it.
  • Rate limiting on all auth endpoints — automated brute-force attempts are blocked
  • Secure session cookies with HttpOnly + Secure + SameSite flags
  • Magic link login as an alternative to passwords (one-click email sign-in, no password to lose)

We are working on adding two-factor authentication (2FA) for admin accounts as the next step — see Section 9.

Section 6

Logging, monitoring, incident response

Every privileged action — role changes, billing modifications, data exports, manual database mutations — is recorded in an immutable audit log with the actor's identity, timestamp, and reason. This means we can answer "who did what, when" for any change to your account.

Application errors and unusual events are monitored via Sentry (with your consent — Sentry only fires when you accept analytics cookies). Customer-impacting incidents are surfaced on our live status page.

In the event of a personal data breach, we will notify the ICO within 72 hours (as required by UK GDPR Article 33) and notify affected customers without undue delay (Article 34). Our breach notification procedure is documented in our Data Processing Policy.

Section 7

Vendors we work with

We rely on a small number of carefully chosen sub-processors. Every one has its own DPA in place with us, and every one is enterprise-grade.

VendorWhat they doWhere
VercelApplication hosting + CDNGlobal edge, EU primary
SupabaseDatabase + authenticationEU (Frankfurt)
AnthropicClaude AI for chatbot conversationsUS (under SCCs)
StripePayment processingUK / EU / US (under SCCs)
ResendTransactional email deliveryUS (under SCCs)
Google CalendarOptional appointment syncUS (only when you connect it)
ZoomOptional video meeting linksUS (only when you connect it)

For the legal-grade list with retention periods, lawful bases, and processing purposes, see our Data Processing Policy.

Section 8

Compliance & certifications

  • UK GDPR & Data Protection Act 2018 — fully compliant
  • ICO Registration — number ZC106782
  • PECR (Privacy and Electronic Communications Regulations) — cookie consent, marketing email consent, all enforced
  • Companies House — UK registered, CRN 17118425
  • Standard Contractual Clauses in place with all non-EEA sub-processors

Section 9

What we don't have yet (and our roadmap)

We'd rather be honest than impressive. Here's what we're not yet able to claim, and where each one sits on our roadmap:

SOC 2 Type 1 / Type 2

We do not currently hold SOC 2 attestation. SOC 2 is typically pursued once a SaaS reaches enterprise contract sizes (£50k+ annual). We will pursue it once our customer base requires it. In the meantime, our security controls are aligned with SOC 2 Trust Services Criteria.

ISO 27001

Same as SOC 2 — we're aligned with the controls but not yet certified. On the roadmap as we grow.

Annual third-party penetration test

No formal pen test programme yet. We rely on automated dependency scanning, code review, and our adoption of well-tested frameworks (Next.js, Supabase, Stripe) for security baselines. Pen testing is on our 12-month roadmap.

Bug bounty programme

Not yet — premature for our current scale. We do welcome responsible disclosure of any security issue you find, and we will credit you publicly if you wish.

Two-factor authentication for customer accounts

Available for the founding CEO account; rolling out to all customer accounts as a high-priority next step. ETA: within 30 days.

Section 10

How to report a security issue

If you've found a vulnerability or security concern, please email us with subject line "Security Disclosure":

info@aiassistsmes.co.uk

Subject line: "Security Disclosure"

We commit to acknowledging your report within 48 hours and providing an initial assessment within 5 working days. We won't take legal action against good-faith researchers who follow responsible disclosure (give us reasonable time to fix before publishing).

Section 11

Documents you can request

Available for any current or prospective customer:

For anything else (security questionnaires, internal compliance reviews, signed DPAs), email info@aiassistsmes.co.uk with subject line "Security Documentation Request" and we'll respond within 2 working days.

Questions about anything on this page? Email info@aiassistsmes.co.uk — Hassan personally answers security and compliance questions.

Last updated: 8 May 2026. We refresh this page whenever a security control changes.