Security

Security

Last updated: March 2026

Explain in plain English with
ChatGPTClaude

1. Overview

AllocBoard is built for research teams managing sensitive staff and financial data. This page outlines the technical and organisational measures we use to protect your data. If you have questions, contact us at [email protected].

2. Infrastructure

All data is hosted in the United Kingdom.

  • Database hosted on Supabase PostgreSQL in the eu-west-2 (London) region
  • Application hosted on Vercel with edge network delivery
  • All connections encrypted with TLS 1.2 or higher
  • HTTPS enforced across all endpoints with HSTS headers

3. Encryption

We use field-level encryption to protect sensitive personal and financial data at rest.

  • AES-256-GCM encryption for sensitive fields including names, emails, and salaries
  • Per-tenant encryption keys — each organisation's data is encrypted with its own key
  • Blind indexes (HMAC-based) enable search over encrypted data without decryption
  • Encryption keys are managed separately from application data

4. Database Security

We enforce strict tenant isolation at the database level.

  • Row-Level Security (RLS) policies active on all tenant data tables
  • Every database query is scoped to the authenticated user's organisation
  • No cross-tenant data access is possible, even in the event of an application-level vulnerability

5. AI Data Handling

Our AI features (risk assessments) process project data through Anthropic's API. We take the following precautions:

  • All staff names and emails are replaced with pseudonyms before data is sent for AI processing
  • AI providers do not use your data to train their models
  • AI features are user-initiated only — no background processing or automated profiling
  • AI outputs are advisory and never used for automated decision-making

6. Compliance

AllocBoard is designed to meet UK GDPR requirements.

  • Built-in Data Subject Access Request (DSAR) handling — users can export all personal data in one click
  • Comprehensive audit logging with automatic masking of sensitive fields
  • Immediate anonymisation of personal data upon account or staff removal
  • Configurable audit log retention periods (1, 3, or 5 years depending on plan)
  • Data Processing Agreement available at /dpa

7. Application Security

We implement comprehensive web application security controls.

  • Rate limiting on all API endpoints
  • HTTP Strict Transport Security (HSTS) headers
  • X-Frame-Options and Content-Security-Policy headers to prevent clickjacking
  • CORS policies restricting cross-origin requests
  • Authentication and session management via Clerk

8. Data Retention

We follow clear data retention and deletion policies.

  • Account data retained while account is active
  • Personal data immediately anonymised upon staff removal or account closure, with hard deletion after 30 days
  • Audit logs retained for 1, 3, or 5 years based on your plan tier
  • Hard deletion of all data 90 days after the retention period expires
  • Database backups retained for 7 days for disaster recovery

9. Sub-processors

We use the following third-party services to operate AllocBoard. Where sub-processors are based outside the UK, transfers are governed by the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) as applicable.

ServicePurposeLocation
SupabaseDatabase and authentication infrastructureLondon, UK (eu-west-2)
ClerkUser authentication and session managementUnited States
StripePayment processingUnited States
AnthropicAI-powered risk assessmentsUnited States
VercelApplication hosting and CDNGlobal (edge network)

10. Incident Response

We maintain an incident response process to handle security events promptly.

  • Affected customers will be notified within 72 hours of a confirmed data breach, in line with UK GDPR requirements
  • Incident reports include the nature of the breach, data affected, and remediation steps taken
  • Post-incident reviews are conducted to prevent recurrence

11. Security Reviews

We conduct regular security reviews of our infrastructure and application code. This includes dependency auditing, code review, and periodic assessment of our security controls.

12. Backup & Disaster Recovery

Database backups are taken daily and retained for 7 days. Our infrastructure is designed for high availability with automated failover. In the event of a major incident, we target recovery within 24 hours.

13. Internal Access Controls

Access to production systems and customer data is restricted to essential personnel only. All access is logged and reviewed. We follow the principle of least privilege across our infrastructure.

14. Contact

For security questions, concerns, or to report a vulnerability, please contact us: Email: [email protected]