Your Data, Protected
We handle sensitive supplier and compliance data. Security is not a feature we add on — it is foundational to everything we build.
UK Data Hosting
All data is hosted in UK data centres. The platform runs on cloud infrastructure within the United Kingdom, and your supplier data does not leave UK jurisdiction.
This is not a configurable option or premium add-on. UK hosting is the default and only option for all customers, regardless of plan.
Our hosting infrastructure provides automated backups, geographic redundancy within the UK, and 99.9% uptime SLA.
UK-Only Data Residency
Data stored and processed exclusively in the United Kingdom.
Automated Backups
Regular automated backups with point-in-time recovery capability.
99.9% Uptime SLA
Redundant infrastructure with automatic failover.
How We Protect Your Data
Encryption in Transit
All connections use TLS 1.2+ encryption. HSTS is enforced with a one-year max-age policy including subdomains.
Encryption at Rest
Database storage and uploaded documents are encrypted at rest using AES-256 encryption.
Role-Based Access
Granular permissions ensure users only see the suppliers and data relevant to their role. Full audit trail of all access.
CSRF & XSS Protection
All forms use CSRF token validation. Input sanitisation and output escaping protect against injection attacks.
Full Audit Trail
Every action is logged with user, timestamp, and change details. Immutable audit records for compliance reporting.
Multi-Tenant Isolation
Every database query is scoped to your organisation. It is architecturally impossible for one customer to access another's data.
GDPR & Data Protection
My Supplier List is designed to help you meet your UK GDPR obligations, both for your own data and the supplier data you collect.
Data Processing Agreement
We provide a Data Processing Agreement (DPA) as standard with all subscriptions, clearly defining data controller and processor responsibilities.
Right to Erasure
The platform supports data deletion requests. Supplier records can be fully anonymised or deleted in compliance with GDPR Article 17.
Data Portability
Export your data at any time in standard formats. Your data belongs to you, and you can take it with you if you choose to leave.
Consent & Lawful Basis
Cookie consent management with granular accept/decline controls. Clear privacy notices and lawful basis documentation.
Security Headers & Standards
Our web application implements comprehensive security headers following OWASP best practices.
Strict-Transport-Security
HSTS enforced for 1 year with subdomains
Content-Security-Policy
Restricts script and resource origins
X-Content-Type-Options
Prevents MIME type sniffing
X-Frame-Options
Prevents clickjacking attacks
Referrer-Policy
Strict origin when cross-origin
Permissions-Policy
Camera, microphone, geolocation denied
Questions About Security?
Our team is happy to discuss security practices, provide documentation, or answer specific questions about how we protect your data.