Security,
in plain English.

01 Compliance

• UK GDPR — compliant. ICO registered under CSN2326977.
• Cyber Essentials Plus — certified.
• SOC 2 Type II — in scope for 2026. Happy to discuss the timeline under NDA.
• ISO 27001 — controls mapped, certification planned.

02 Data residency

Production data is stored in the UK. Where you use AI features, the content you submit to those features may be processed outside the UK under Standard Contractual Clauses and, where applicable, the UK–US Data Bridge. Sub-processor categories, locations and purposes are published on our sub-processors page; the named list and a DPA are available through our contact form or chat.

03 Encryption

• In transit — TLS 1.3, HSTS preloaded.
• At rest — AES-256 at the storage layer.
• Sensitive identifiers — AES-256-GCM applied at the application layer.
• Secrets — never stored in code; encrypted environment variables only; CI blocks accidental commits.

04 Application security

• Authentication — hosted by a specialist identity provider, MFA-capable, sessions rotated on sign-in.
• Browser security — Content Security Policy, HSTS, clickjacking protection and CSRF protection on state-changing requests. The CSP currently allows the legacy static pages and Cesium homepage to run while we migrate towards a nonce/hash-based policy.
• Rate limiting — abuse controls are applied to sensitive public routes; broader route-level limits are being hardened as part of the platform security programme.
• Logging — automated redaction of personal identifiers in logs before they are written.
• Database — parameterised queries throughout; no raw user input reaches SQL.
• Dependencies — automated weekly scanning; known CVEs gated at CI.

05 Infrastructure

Justify runs on UK-resident database and storage with global-edge application hosting (EU primary). Authentication, payments, error monitoring, transactional email and other supporting services are provided by specialist sub-processors. Public categories are listed on our sub-processors page; the named provider list is supplied to customers under DPA.

06 Incident response

• Acknowledge: within 24 hours.
• Status update: within 72 hours.
• Breach notification: within 72 hours of awareness, per UK GDPR Art. 33, to the ICO and affected customers.
• Public status page: in development.

07 Testing & assurance

• Penetration testing: annual independent third-party test. Latest summary available under NDA.
• Continuous testing: automated test suite gates every release; secrets-scanning runs at CI.
• Responsible disclosure: report a vulnerability through our contact form or chat. Confirmed findings credited on request.

08 Customer controls

• Data export: CSV export from the in-app settings at any time.
• Data deletion: soft-deleted within 30 days of request, permanently purged within 90 days.
• SSO / SAML & audit logs: available on Professional and Advanced tiers.
• DPA: available through our contact form or chat; Advanced tier receives a pre-signed copy at contract.

09 Available on request

• Data Processing Agreement (DPA)
• Latest penetration-test summary (under NDA)
• Insurance certificate (professional indemnity + cyber)