Security & compliance
People hand us parking tickets, legal letters, contracts and business documents — things that are private and often stressful. Here is exactly how that data is protected, what standards we hold ourselves to, and where we are on formal accreditation.
Data protection (UK GDPR)
We comply with UK GDPR and applicable data-protection law. In practice:
- Data minimisation — we ask only for what the document needs, and our AI prompts are engineered to use only the facts you supply.
- Automatic deletion — generated documents are retained for 30 days and then deleted on an automated schedule. Business-suite documents are exportable while you subscribe and deleted after a short grace period when you leave.
- Clear roles — for the Business suite we act as a processor of your fleet’s data (you stay the controller); for our own accounts and billing we are the controller.
- Breach response — we maintain a written data-breach response plan with notification procedures.
- Your rights — access, correction, deletion and export requests are honoured via our contact page. See the full privacy policy.
Security practices
- Encryption — all traffic is encrypted in transit (TLS); data is encrypted at rest by our infrastructure providers.
- Access control — multi-factor authentication on all operator accounts, least-privilege API keys, and admin surfaces gated separately from customer auth.
- Secure development — static security analysis on the codebase (maintained at a clean baseline), dependency review, and automated smoke tests on payment and document flows before releases.
- No card data touches us — payments are processed entirely by Stripe (PCI DSS Level 1); we never see or store card numbers.
- Vetted infrastructure — our core providers (Vercel, Stripe, Clerk, Upstash, Resend, Anthropic) hold their own SOC 2 and/or ISO 27001 attestations; we maintain a vendor register and data-processing agreements.
- AI guardrails — the AI drafts and assesses; it never decides money or deadlines. Deterministic code computes anything consequential, and you review everything before it is sent.
Accreditation status
We operate to the standards below today, and we are progressing through the formal accreditation processes. We will never describe ourselves as certified or attested until the certificate or report is actually in hand — the current status is always stated here.
- UK GDPR — in force. This is law, not a badge: we comply, as set out above.
- Cyber Essentials — working to the scheme’s five control areas; certification in progress.
- SOC 2 Type II — our controls are built and operated to the Trust Services Criteria; we are in the readiness and evidence-gathering phase of the attestation process, with a documented control map, policy pack and evidence register.
Questions or reports
Security questionnaires, data-processing agreements, or a vulnerability to report: contact us via the contact page and we’ll respond promptly. We appreciate responsible disclosure.