Security,
in plain English.

01 Compliance

• UK GDPR — compliant. ICO registered under CSN2326977.
• Cyber Essentials Plus — certified.
• SOC 2 Type II — audit underway. Readiness letter and contractual assurances available on request.
• ISO 27001 — controls mapped, certification underway.

02 Data residency

Production data is stored in the UK. Where you use AI features, the content you submit to those features may be processed outside the UK under Standard Contractual Clauses and, where applicable, the UK–US Data Bridge. Sub-processor categories, locations and purposes are published on our sub-processors page; the named list and a DPA are available on request via chat.

03 Encryption

• In transit — TLS 1.3, HSTS preloaded.
• At rest — AES-256 at the storage layer.
• Sensitive identifiers — AES-256-GCM applied at the application layer.
• Secrets — never stored in code; encrypted environment variables only; CI blocks accidental commits.

04 Application security

• Authentication — hosted by a specialist identity provider, MFA-capable, sessions rotated on sign-in.
• Browser security — strict Content Security Policy, CSRF protection on state-changing requests.
• Rate limiting — applied across the API surface.
• Logging — automated redaction of personal identifiers in logs before they are written.
• Database — parameterised queries throughout; no raw user input reaches SQL.
• Dependencies — automated weekly scanning; known CVEs gated at CI.

05 Infrastructure

Justify runs on UK-resident database and storage with global-edge application hosting (EU primary). Authentication, payments, error monitoring, transactional email and other supporting services are provided by specialist sub-processors. The named list of providers, locations and purposes is published on our sub-processors page.

06 Incident response

• Acknowledge: within 24 hours.
• Status update: within 72 hours.
• Breach notification: within 72 hours of awareness, per UK GDPR Art. 33, to the ICO and affected customers.
• Public status page: in development.

07 Testing & assurance

• Penetration testing: annual independent third-party test. Latest summary available under NDA.
• Continuous testing: automated test suite gates every release; secrets-scanning runs at CI.
• Responsible disclosure: report a vulnerability via our live chat. Confirmed findings credited on request.

08 Customer controls

• Data export: CSV export from the in-app settings at any time.
• Data deletion: soft-deleted within 30 days of request, permanently purged within 90 days.
• SSO / SAML & audit logs: available on Professional and Advanced tiers.
• DPA: available on request via chat; Advanced tier receives a pre-signed copy at contract.

09 Available on request

• Data Processing Agreement (DPA)
• Latest penetration-test summary (under NDA)
• SOC 2 Type II readiness letter
• Insurance certificate (professional indemnity + cyber)