Built for UK public sector trust
Redactly is designed from the ground up for UK public bodies. UK data residency, full audit trails, GDPR-compliant processing, and documentation ready for your DPO and IT team.
Data Location
Personal data does not leave the UK or European Economic Area in the ordinary course of service delivery.
| Document content & storage | Supabase — AWS eu-west-2 (London, UK) |
| Database & audit logs | Supabase — AWS eu-west-2 (London, UK) |
| Document processing | Google Cloud Platform — europe-west2 (Belgium, EU) |
| Application hosting | Vercel — EU region (Frankfurt / London) |
| Payment data | Stripe EU/UK (no document content is shared with Stripe) |
Encryption
| Data in transit | TLS 1.2 minimum — enforced across all endpoints |
| Data at rest (database) | AES-256 (AWS infrastructure encryption) |
| Data at rest (file storage) | AES-256 (Supabase Storage / S3-compatible) |
| Backups | Encrypted at rest, same standard |
Access Controls
Multi-tenant isolation: Every organisation's data is isolated at the database layer using Row-Level Security (RLS). No user can access another organisation's documents, audit logs, or metadata.
Role-based access: Three roles are enforced — Admin (full access including billing and user management), Reviewer (upload and review), Viewer (read-only access to completed documents).
Invite-only access: New users join via a time-limited (7-day) invitation sent to a verified email address. Shared credentials are not supported.
Application Security
| Penetration testing | OWASP ZAP automated scan — March 2026. No high-severity findings. |
| Security headers | Mozilla Observatory: 80/100. SSL Labs: A+. |
| Content Security Policy | Implemented on all HTML responses and API routes |
| File validation | Magic byte verification on all uploads — spoofed types rejected |
| Upload rate limiting | 20 uploads per user per hour |
| Known CVEs | pdf.js CVE-2024-4367 — patched March 2026 (react-pdf v9.2.1) |
Audit Logging
Redactly maintains an immutable audit log for every organisation, retained for 6 years. Logs record:
- Document uploaded — filename, uploader, timestamp
- Document analysed — page count, suggestion count
- Redaction accepted / rejected — per suggestion, with user ID
- Document finalised — redaction count, finaliser, timestamp
- User invited / joined — role granted
- Subscription created / changed
Audit logs do not contain document content — only metadata about actions performed. Viewable by organisation Admins within the platform.
Incident Response
Security incidents are reported to affected organisations within 72 hours of discovery, meeting UK GDPR Article 33 requirements.
Notifications include: nature of breach, data categories affected, likely consequences, and remediation steps.
Security contact: security@redactly.co.uk
Sub-processors
All sub-processors are bound by data processing agreements consistent with UK GDPR requirements.
| Sub-processor | Role | Data location |
|---|---|---|
| Supabase Inc | Database, file storage, authentication | UK (AWS eu-west-2) |
| Google Cloud Platform | Document processing services | EU (europe-west2, Belgium) |
| Stripe Inc | Payment processing (billing data only — no document content) | EU / UK |
| Resend Inc | Transactional email (email addresses only) | EU |
| Vercel Inc | Application hosting | EU |
Certifications & Compliance
| UK GDPR / DPA 2018 | Implemented — DPA available on request |
| Data Processing Agreement | Available to countersign — email legal@redactly.co.uk |
| Penetration testing | Completed March 2026 |
| SSL Labs A+ | Active |
| Cyber Essentials | In progress — target Q3 2026 |
| ISO 27001 | In progress — target Q4 2026 |
| G-Cloud framework | Application in progress — target Q3 2026 |
Data Processing Agreement
A full Data Processing Agreement (DPA) is available to countersign before or at the point of subscription. The DPA covers processing scope, sub-processors, international transfers, retention, breach notification, and audit rights.