Security

How we handle the data we hold.

Contractor records, client details, and wallet balances. We take the same care with each. Plain-English overview below.

Six pillars

What we insist on.

01

Encryption everywhere.

TLS in transit, AES-256 at rest. No exceptions, including backups.

02

Least-privilege access.

Staff access to production data is role-gated and logged. Most of the team has none.

03

Payment isolation.

We don't handle card numbers. Payments run through [TBD provider]. Wallet ledger is append-only.

04

Short data lifespans.

ID verification data is deleted [TBD] days after approval. Pitch recordings are not stored beyond [TBD].

05

Tested backups.

Encrypted, off-region, restored on a [TBD] cadence. We practice the recovery, not just the backup.

06

Incident response.

On-call rotation, runbooks, [TBD]-hour breach-notification commitment to affected users.

Attestations

What we hold (or will).

We're honest about where we are. Placeholders below will be replaced with real certificate details as they land.

Status · [TBD]

SOC 2 Type II

In progress. Audit window [TBD].

Status · [TBD]

ISO 27001

Roadmap: [TBD].

Status · compliant

UK GDPR

Registered controller. ICO reg [TBD].

Status · scope-limited

PCI DSS

Out of card-data scope via [TBD].

Sub-processors

Who we trust with your data.

Updated as our stack changes. If you're a client or contractor, you'll see this list reflected in our DPA.

Sub-processor

Purpose

Region

[Cloud provider TBD]

Application hosting, compute, databases.

EU / UK

[Payments TBD]

Client billing, contractor payouts.

UK

[Email TBD]

Transactional email, notifications.

EU

[Observability TBD]

Logs, metrics, error tracking.

EU

[ID verification TBD]

Contractor identity checks at onboarding.

UK

Bug bounty

Found something? Tell us.

We pay for credible reports. Responsible disclosure, no live-system damage, scope at [TBD]. Email security@salesflow.[TBD] or submit via [TBD platform].

security@salesflow.[TBD]