Skip to main content
AI Governance Hub
Log inGet started

Security Policy

Our commitment to protecting your data | Last updated: 15 February 2026

Our Security Commitment

At AI Governance Hub, security is not an afterthought—it's fundamental to everything we build. We understand that you're trusting us with sensitive compliance data, and we take that responsibility seriously.

This page outlines our security practices, infrastructure, and policies. We believe in transparency and want you to understand exactly how we protect your data.

Security Principles

Security by Design

Security is built into every layer of our architecture from day one, not bolted on later.

Zero Trust Architecture

Every request is authenticated and authorized. No implicit trust based on network location.

Data Sovereignty

Your data is stored in UK/EU data centers and never transferred outside without your consent.

Proactive Monitoring

24/7 automated monitoring for security threats, anomalies, and potential breaches.

Infrastructure Security

Hosting and Network

  • Hosting Provider: Vercel (Enterprise-grade infrastructure with SOC 2 Type II, ISO 27001)
  • Database: Supabase (PostgreSQL) hosted in UK/EU data centers
  • CDN: Global edge network with DDoS protection and WAF (Web Application Firewall)
  • Uptime Target: 99.5% availability SLA
  • Redundancy: Multi-region database replication and automated failover

Data Encryption

  • At Rest: AES-256 encryption for all data stored in databases and file storage
  • In Transit: TLS 1.2+ (HTTPS only, no insecure HTTP connections allowed)
  • Backups: Encrypted backups taken every 24 hours, retained for 30 days
  • Passwords: Bcrypt hashing (cost factor 12) with unique salts per user

Application Security

Authentication and Authorization

  • Authentication: Supabase Auth with industry-standard JWT tokens
  • Session Management: Secure, HTTP-only cookies with 24-hour inactivity timeout
  • Password Requirements: Minimum 8 characters, complexity enforced
  • Password Reset: Secure token-based reset with email verification
  • Row-Level Security (RLS): Database-enforced access control ensuring users can only access their own data
  • Role-Based Access Control (RBAC): Admin, Editor, Viewer roles with granular permissions

Input Validation and Sanitization

  • Server-Side Validation: All user input validated using Zod schemas before processing
  • XSS Protection: React's built-in escaping + Content Security Policy headers
  • SQL Injection Prevention: Parameterized queries only, no raw SQL with user input
  • CSRF Protection: SameSite cookies and anti-CSRF tokens
  • File Upload Validation: Type checking, size limits (10MB), malware scanning (planned)

Security Headers

We enforce strict security headers on all HTTP responses:

  • X-Frame-Options: DENY (prevents clickjacking)
  • X-Content-Type-Options: nosniff (prevents MIME sniffing attacks)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: Disables camera, microphone, geolocation
  • Content-Security-Policy: Restricts script sources (planned for Phase 4)

Third-Party Security

Sub-Processors and Vendors

We carefully vet all third-party services that handle your data:

VendorPurposeCertifications
SupabaseDatabase, Auth, StorageSOC 2 Type II, ISO 27001, GDPR
StripePayment ProcessingPCI-DSS Level 1, SOC 2, ISO 27001
VercelHosting, CDNSOC 2 Type II, ISO 27001
ResendTransactional EmailGDPR-compliant
PostHogAnalyticsGDPR, SOC 2 (privacy-preserving)

Access Controls

Employee Access

  • Principle of Least Privilege: Team members have access only to systems necessary for their role
  • Production Access: Strictly limited and logged. Database access requires multi-factor authentication
  • Audit Logging: All administrative actions logged with timestamps and user identification
  • Background Checks: Security-cleared personnel only (planned for Phase 5)

Customer Data Access

  • We do NOT access your data without explicit permission
  • Customer support access requires your written consent via support ticket
  • All support access is logged and time-limited (24-hour expiry)
  • You can revoke access at any time

Security Testing and Audits

Current Practices

  • Automated Security Scanning: Dependency vulnerability scanning (GitHub Dependabot)
  • Code Review: All code changes reviewed before deployment
  • Automated Testing: 240+ unit tests, E2E tests, accessibility tests, security header tests
  • OWASP Top 10: Regular testing against OWASP security risks (XSS, SQLi, CSRF, etc.)

Planned Audits (Phase 4-5)

  • Penetration Testing: Annual third-party penetration tests (Q3 2026)
  • SOC 2 Type II: Certification planned for 2027 (subject to revenue targets)
  • Cyber Essentials Plus: UK government-backed certification (Q4 2026)

Incident Response

Security Incident Procedure

In the event of a security incident:

  1. Detection: Automated monitoring alerts our team immediately
  2. Containment: Affected systems isolated within 1 hour
  3. Investigation: Root cause analysis and impact assessment
  4. Notification: Affected customers notified within 72 hours (GDPR requirement)
  5. Remediation: Vulnerabilities patched and systems restored
  6. Post-Incident Review: Lessons learned and preventative measures implemented

Data Breach Notification

If a data breach affects your Personal Data, we will notify you via email within 72 hours, including:

  • Nature of the breach
  • Categories and approximate number of affected records
  • Likely consequences
  • Measures taken to address the breach
  • Contact information for further inquiries

Backup and Disaster Recovery

  • Backup Frequency: Automated daily backups at 02:00 UTC
  • Retention: 30-day backup retention
  • Encryption: All backups encrypted with AES-256
  • Testing: Quarterly backup restore tests
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours (last backup)

Compliance and Certifications

Current Compliance

  • UK GDPR: Fully compliant (Data Processing Agreement available)
  • Data Protection Act 2018: UK-specific requirements met
  • WCAG 2.2 Level AA: Accessibility compliance

Planned Certifications

  • Cyber Essentials Plus: Q4 2026
  • SOC 2 Type II: 2027 (revenue-dependent)
  • ISO 27001: 2027-2028 (long-term goal)

Responsible Disclosure

Vulnerability Reporting

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please:

  1. Email security@aigovernancehub.uk with details
  2. Do NOT publicly disclose the vulnerability before we've had a chance to fix it
  3. Provide sufficient information to reproduce the issue
  4. Allow us 90 days to investigate and remediate before public disclosure

Bug Bounty Program

We do not currently offer a bug bounty program but plan to launch one in Phase 5 (June 2026). Responsible researchers who report valid vulnerabilities will be acknowledged in our Security Hall of Fame (with permission).

Your Security Responsibilities

Security is a shared responsibility. We ask that you:

  • Use a strong, unique password for your account
  • Enable multi-factor authentication when available (planned for Phase 4)
  • Do not share your account credentials with others
  • Log out from shared devices
  • Report suspicious activity immediately
  • Keep your devices and browsers up to date

Contact Security Team

For security-related inquiries, vulnerability reports, or incident notifications:

Email: security@aigovernancehub.uk
Address: AI Governance Hub, c/o ITNextGen Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Expected Response Time: 24 hours for critical issues, 72 hours for non-critical inquiries

Policy Updates

This Security Policy may be updated to reflect changes in our security posture, infrastructure, or compliance requirements. Material changes will be communicated via email 30 days in advance.