Trust Centre
Enterprise-grade security, regulatory compliance, and transparent data practices. Built for procurement teams who need evidence, not promises.
How We Protect Your Business
Data Protection
Full DPIA completed for AI matching. Lawful basis documented for every processing activity. Sub-processor list published and maintained.
- UK GDPR and PECR compliant
- Cookie consent with granular controls
- Data subject rights: export, erasure, portability
Security
Defence-in-depth architecture with HttpOnly cookie authentication, encrypted storage, and comprehensive monitoring.
- HttpOnly refresh tokens, short-lived access tokens
- pgcrypto encryption at rest, TLS 1.2+ in transit
- Row Level Security and RBAC
Infrastructure
UK and EU data residency. Encrypted backups. Cloudflare WAF and DDoS protection. No data leaves approved jurisdictions.
- Database hosted in EU-West-2 (London)
- Encrypted R2 backups with retention policy
- Cloudflare WAF, rate limiting, DDoS protection
IR35 Compliance
Introduction-only model. Consultiverse introduces parties and steps back. No worker control, no payment intermediation, no substitution restrictions.
- No intermediary relationship
- Engagement records for audit trail
- Direct contracting between parties
Verification
Know Your Business checks on all clients. NDA templates available. Conflict-of-interest screening before introductions.
- KYB checks on client organisations
- Mutual NDA facilitation
- Conflict-check workflow
AI Transparency
AI used solely for matching relevance via text embeddings. No automated decisions. OpenAI disclosed as sub-processor. AI Act assessment completed.
- Embedding-only AI (no generative decisions)
- OpenAI DPA under Article 28(3)
- EU AI Act risk assessment complete
Sub-processors
Third-party services that process data on our behalf. All operate under Data Processing Agreements.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database and authentication | All platform data | EU-West-2 (London) |
| OpenAI | Text embeddings for matching | Profile text, project descriptions | US (EU SCCs in place) |
| Stripe | Payment processing | Payment details, billing info | US/EU |
| Resend | Transactional email | Email addresses, notification content | US |
| Cloudflare | CDN, WAF, DNS | Traffic metadata | Global (EU-preferred) |
| Vercel | Application hosting | Static assets, serverless functions | EU (LHR1) |
| Sentry | Error monitoring (consent-gated) | Error traces, performance data | EU (Frankfurt) |
| Upstash | Rate limiting and caching | Request metadata | EU |
Security Architecture
Authentication
HttpOnly refresh tokens stored in secure cookies (inaccessible to JavaScript). Short-lived access tokens (15-minute expiry) held in memory only. Automatic token rotation on refresh. CSRF protection on all state-changing operations. Optional two-factor authentication via TOTP.
Encryption
All data encrypted at rest using pgcrypto (AES-256). All connections use TLS 1.2 or higher. Sensitive fields (TOTP secrets, API keys) use application-layer encryption with dedicated keys managed through Doppler secret management.
Access Control
Row Level Security (RLS) policies on every database table enforce data isolation at the database layer. Role-based access control separates consultant, client, and admin permissions. No shared credentials; all secrets managed through Doppler with audit trails.
Monitoring and Incident Response
Sentry error monitoring (consent-gated for session replays). Prometheus and Grafana for infrastructure alerting. Automated alerts for CPU, memory, disk, and container health. Security event logging with HMAC-verified webhook delivery.
Questions About Our Security Posture?
We're happy to provide additional documentation, complete security questionnaires, or arrange a call with our security team.
- Security questionnaire completion
- DPIA summary and sub-processor details
- Infrastructure architecture review