UK GDPR · 46 RLS tests · SOC 2 Type I planned 2027

Your firm's data,
handled properly.

Amaea processes personal data on behalf of FCA-authorised IFA firms. This page summarises how we protect it, where it lives, and who can access it: designed to be the answer to your IT due-diligence checklist.

What we built in before the product.

Encryption, isolation, and auditability. On by default, not as an upgrade.

Encryption Encrypted at rest and in transit

In transit: all traffic uses TLS 1.2+ with modern ciphers. HSTS with a one-year max-age + preload is enforced on every Amaea domain, so browsers refuse plain-HTTP connections.

At rest: AES-256 disk encryption on both the Postgres database and document storage, managed by our infrastructure provider (Supabase, hosted on AWS eu-west). Encryption keys are rotated automatically per AWS KMS schedule.

Isolation Row-level isolation between firms

Every record in our database is tagged with the firm that owns it. Postgres row-level security policies make it physically impossible for a query authenticated as Firm A to return rows belonging to Firm B: at the database, not the application, layer. 46 automated tests run against the production schema to prove no firm can read, write, or update data that isn't theirs. Tests cover all 15 firm-scoped tables.

Authentication Strong passwords + two-factor available

Sign-in via email + password, validated server-side. Sessions managed via signed, short-lived JWTs (ES256 signing) with refresh tokens. Two-factor authentication (TOTP) is available via any standard authenticator app: Google Authenticator, Microsoft Authenticator, 1Password, Authy, etc. Self-service password reset by emailed magic link.

Audit Append-only audit trail

Every consequential action (AI query, document import, flag raised/resolved, report generated) writes to an append-only audit log that your firm can read but never modify. The append-only guarantee is enforced at the database level (RLS default-deny on UPDATE/DELETE). Records retain origin metadata (model, timestamp, user) without logging the underlying personal data content.

Hosting Data hosted in EU regions

Database and storage: Supabase EU West (Ireland). Application hosting: Vercel, with EU-region preference for serverless function execution. Email transactional traffic: Resend EU. Personal data does not leave the European Economic Area in normal operation.

Backups Daily backups + documented restore

Postgres database backed up daily with 7-day retention; point-in-time recovery is available within that window. Storage objects backed up separately by our infrastructure provider. The restore procedure is documented and reviewed quarterly; runbook available to customers under DPA.

App security Defence in depth at the application layer

Headers: Content Security Policy with frame-ancestors 'none'; X-Frame-Options DENY; HSTS preload; Referrer-Policy strict-origin-when-cross-origin; Permissions-Policy disabling camera, microphone, geolocation, and payment APIs.
Abuse: CSRF protection on every state-mutating endpoint. Per-IP rate limiting on public surfaces; per-firm fair-use caps on AI features.
Email auth: SPF + DKIM live on all outbound. DMARC currently p=none in monitor mode while we verify legitimate senders are aligned; tightening to p=quarantine then p=reject on a documented rollout.

Who else handles your data.

A full, current list. Under UK GDPR Article 28, you're entitled to know.

Sub-processor	Purpose	Region
Supabase	Database (Postgres), authentication, file storage	EU West (Ireland)
Vercel	Application hosting + serverless function execution	EU (Frankfurt) preference
Anthropic (Claude API)	AI compliance assistant + report drafting	US (Zero Data Retention in progress)
Voyage AI	Text embeddings for FCA knowledge-base search	US (query text only, no personal data sent)
Resend	Transactional email (login, alerts, reports)	EU
Cloudflare	DNS + TLS termination + edge protection	Global edge, EU egress preferred

Last reviewed 18 May 2026. Material sub-processor changes are notified to customers under DPA at least 30 days in advance.

Where we are on standards.

Honest current state. Not aspirational future state.

UK GDPR / Data Protection Act 2018. Amaea is a data processor for our customers' personal data. A Data Processing Agreement (Art. 28) is provided to every customer before any client data is uploaded.
FCA Consumer Duty (PRIN 2A). Amaea's product is built to help firms evidence Consumer Duty obligations. We hold no FCA permissions ourselves; we're a vendor to authorised firms.
SOC 2. Type I assessment planned for 2027 ahead of public launch. Practices already align with the framework (signed JWTs, audit trails, encryption, MFA, breach response). Type II follows once we have 12 months of operating evidence.
ISO 27001: out of scope for first launch. We track to its principles where practical.
Cyber Essentials: planned ahead of any partnership requiring it.
Penetration testing: planned ahead of public launch in 2028. Internal RLS test suite (46 tests across 15 firm-scoped tables) runs on every change.

If something goes wrong.

We have a documented incident response plan covering detection, containment, regulator notification (ICO within 72 hours where required under UK GDPR Art. 33), customer notification, and post-incident review. The full plan is available to customers under DPA.

Report a security issue

Found a vulnerability, suspect unauthorised access, or want to report something that seems off? Email us directly. We'll acknowledge within one business day.

security@amaea.co.uk

We respond to all reports in good faith. We don't operate a paid bug-bounty programme at this stage but we do publicly credit researchers on this page (with permission) once an issue is fixed.

Your firm's data,handled properly.

What we built in before the product.

Who else handles your data.

Where we are on standards.

If something goes wrong.

Need the DPA, IR plan, or vendor questionnaire?

Your firm's data,
handled properly.