Data Protection
A practical summary of the technical and organisational measures we apply to protect the personal data we process on behalf of reviewers and business customers.
Encryption
TLS 1.2+ in transit on every endpoint. AES-256 at rest for databases and backups. Secrets stored in a managed KMS with rotation enforced quarterly.
Access control
SSO + MFA mandatory for all staff. Role-based access scoped to least privilege. Production access requires reviewed PR + audit log entry; no shared credentials.
Hosting & residency
Primary hosting in UK / EU regions. No data leaves UK/EU without an approved transfer mechanism. Sub-processors listed publicly with 30-day change notice.
Backups & recovery
Encrypted daily backups with 30-day retention. Quarterly restore drills. Documented RPO 24h / RTO 4h for the production database.
Monitoring & audit
Centralised logging with anomaly alerting. Admin actions, moderation decisions and invitation activity are written to an immutable audit trail.
Breach response
Documented incident response plan. ICO notified within 72 hours of any qualifying breach. Affected users contacted directly without delay with the facts we know.
What you get
- UK / EU data residency
- Annual penetration test by an independent CREST-registered firm
- Vulnerability disclosure programme: security@scorereview.uk
- Sub-processor list available on request
- Vendor risk reviewed before onboarding and annually after
- Employee security training every 6 months