Transparency

Security & Trust

Last updated 31 May 2026 · Reviewed quarterly

This page describes how we look after the data you trust us with — what controls we have in place today, what we're improving, and how to get in touch if you have a security concern or a request about your data.

We believe transparency is a security control in itself. Where we're not yet doing something, we'd rather tell you than hide it.

What's in place today

✓ Live

Encryption in transit

All traffic to robinsfirehub.co.uk and our subprocessors is encrypted with TLS 1.2+.

✓ Live

Encryption at rest

Database and file storage encrypted at rest by our infrastructure provider (Supabase).

✓ Live

Two-factor authentication for staff

Mandatory TOTP 2FA for everyone on the assessor / reviewer team. 12-character password minimum.

✓ Live

Webhook signature verification

SmartHub inbound webhooks are validated with a shared secret; mismatched requests are rejected.

✓ Live

Secrets in environment configuration

All API keys, tokens, and credentials live in Railway environment variables — never in source code or shared with the browser.

✓ Live

Parametrised database queries

All Postgres queries go through Supabase's PostgREST layer with proper parameter quoting — protects against SQL injection.

✓ Live

Server-side rate limiting

Cost-sensitive AI and transcription endpoints are rate limited per IP to prevent abuse and surprise bills.

✓ Live

Least-privilege access

Only assessors who need a given customer's data have access. Admin operations are limited to a single named admin.

✓ Live · enforcing since June 2026

API-level authentication gate

Every protected endpoint — staff tools and the on-site Inspection Tool PWA — requires a verified Supabase session token before responding. Validated against Supabase Auth on each request; cached short-window so latency stays sub-50ms. Unauthenticated requests rejected with HTTP 401.

✓ Live

Strong session management

Sessions issued by Supabase Auth (industry-standard JWT). Tokens refreshed automatically; signing out invalidates the session everywhere. Long-lived storage uses the browser's localStorage; no third-party cookies.

✓ Live

Unique-key data integrity

Postgres UNIQUE constraints on idempotency keys prevent duplicate captures during mobile retries. Schema-level enforcement, not just application-layer.

What we're working on

⌛ In progress

Self-service data export & deletion

A "request a copy of my data" and "delete my account" flow inside the Customer Portal. Today these requests are processed manually within 30 days of email.

⌛ In progress

Native iOS app for inspections

Wraps the existing PWA in a native shell. Gives silent camera-roll backup of every site photo plus more durable offline storage.

⌛ In progress

Stricter CORS & CSRF protections

Tightening cross-origin requests to a known allow-list and adding cross-site request forgery protections on state-changing endpoints.

⌛ In progress

File-upload type and size limits

Enforcing a maximum upload size and a file-type whitelist on inspection captures to prevent abuse of the storage bucket.

⌛ In progress

Immutable audit log

Every data change recorded in a tamper-evident log so we can show exactly who did what and when.

Honest disclosure. We're a small UK SMB. Some of the controls a large enterprise SaaS would have day one are still being added here. If a particular control matters for your due diligence, please ask — we'd rather have a direct conversation than oversell.

Where your data lives

We use a small number of trusted subprocessors to run the service. Each one is bound by contract to use your data only on our instructions.

Subprocessor	Role	Data they touch	Location
Supabase, Inc.	Database + Storage	All operational data, photos, voice notes, reports	US
Railway Corporation	Application hosting	Application server + logs	US / Global
Anthropic, PBC	AI (Claude) for prep and write-up	Text sent for analysis only — no photos or audio	US
Groq, Inc.	Voice-to-text (Whisper)	Inspection audio clips	US
Resend, Inc.	Transactional email	Recipient address + subject + body	US
HighLevel, Inc.	CRM (SmartHub)	Booking contact info; we sync stage changes back	US
Google LLC	Legacy email polling	Subject + sender of incoming Gmail messages	US

Transfers outside the UK are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, plus supplementary technical measures (encryption in transit and at rest). Where a subprocessor offers an EU-region deployment we'll move to it when reasonable.

Inherited compliance

We deliberately build on infrastructure providers that carry the certifications a small SMB couldn't realistically maintain in-house. That doesn't make us SOC 2 certified, but it does mean the layers our data sits on top of are independently audited.

Inherited

SOC 2 Type II · ISO 27001

Database, file storage, and authentication — provided by Supabase. supabase.com/security

Inherited

SOC 2 Type II

Production hosting — Railway. railway.com

Inherited

SOC 2 Type II · HIPAA-ready

Large-language-model inference — Anthropic Claude. We do not opt into training on customer prompts.

Inherited

SOC 2 Type II · ISO 27001

Transactional email — Resend.

Our own infrastructure isn't currently certified — we're a small team and the cost-to-customer of a formal audit doesn't pay off at our scale yet. The day we're large enough that it matters to a buyer, we'll engage an auditor. In the meantime we're glad to share evidence of any of the controls listed on this page, on request.

Compliance posture

Standard / regulation	How we relate to it
UK GDPR · Data Protection Act 2018	In scope as a data controller. Privacy policy documents lawful bases, retention, transfers, and data subject rights.
Privacy and Electronic Communications Regulations (PECR)	In scope. We use only strictly-necessary storage; no analytics or marketing trackers. See cookies notice.
Regulatory Reform (Fire Safety) Order 2005	Drives our retention policy on assessment records — 10 years from delivery.
NIST CSF (informally)	We use the Identify / Protect / Detect / Respond / Recover frame internally to triage what to build next on the security roadmap.
SOC 2 / ISO 27001 (own org)	Not currently certified. Inherited from the infrastructure providers listed above.
Cyber Essentials (UK)	Plan to certify within 12 months as a baseline UK SMB standard.

The data lifecycle

From a single FRA engagement, here's where the data flows and when each piece is removed.

Stage	What happens	What we hold afterwards
Booking	Customer books via SmartHub. Contact details + premises address flow in via webhook. Hub creates a job record.	Contact & premises kept for the duration of the engagement + retention period.
Pre-visit	Optional customer form completed. Assessor curates a prep kit on the Pre-Inspection Tool.	Form responses + prep kit stored in JSONB alongside the job. Retained 10 years.
On site	Photos, video, voice notes, written notes captured on the Inspection Tool PWA. Uploaded to Supabase Storage; metadata to Postgres.	Captures form the evidence base for the FRA report.
Processing	Voice notes transcribed (Groq Whisper). Anthropic Claude assists with prep + draft summaries.	Transcripts stored back onto the capture row. AI prompts are not retained or used for training by the providers under their commercial terms.
Write-up & review	Assessor authors the report in the Notes Tool. Reviewer approves or returns.	Report draft + finalised version stored on the report record.
Delivery	PDF rendered, emailed to the customer via Resend. Customer Portal access optionally provisioned.	Delivery audit kept indefinitely; email body retained briefly by Resend (their policy).
Retention	The FRA + supporting evidence is retained for 10 years to satisfy professional indemnity, regulatory enforcement, and dispute defence.	After 10 years, the assessment record is either anonymised (statistics only) or fully deleted.
Deletion on request	A customer requests erasure. We delete everything we don't have a legal obligation to retain (and explain the difference if any).	Anonymised reference may remain on internal audit log (just "premises X was deleted on date Y by user Z").

Audit & monitoring

We log enough to investigate an incident properly and we don't log so much that the logs themselves become a liability.

Server access logs — every HTTP request to our application is logged with method, path, status code, IP. Retained 30 days by our host (Railway).
Authentication events — sign-in, sign-out, password change, MFA enrollment — captured by Supabase Auth and visible in their dashboard.
Database changes — Supabase Postgres has point-in-time recovery and write-ahead logging.
Job-level state changes — every stage transition, every override, captured to our own job_overrides history. Visible inside the Hub's job detail panel.
API auth failures — logged with the originating IP. Allows us to see brute-force attempts in soft-mode logs before enforcing.
Email events — every send + delivery success/failure recorded by Resend with a unique ID.

Business continuity

Honest realism: we're a small operator, not a major SaaS. The realistic continuity plan looks like this.

Backups — automatic point-in-time recovery on the Postgres database (7 days) and versioning on file storage are provided by Supabase. We don't currently take additional external backups, but we're considering a nightly export to off-provider storage in the next year.
Single key person risk — currently one engineer (Marco). All credentials are in a password manager with a documented break-glass route. We acknowledge this is the biggest residual risk and would address it formally if the customer base expanded.
Recovery time objective (RTO) — informally 4 hours for the Hub to be reachable again. We rely on Railway's hosting SLA for application-level outages and Supabase's SLA for data-layer outages.
Recovery point objective (RPO) — informally 1 hour, bounded by Supabase's point-in-time recovery granularity.
Vendor failure — if Supabase, Railway, Anthropic, Groq, or Resend disappeared overnight we'd have a real problem and we'd lean on our customer relationships for grace. We don't pretend that's enterprise-grade.

For evaluators & prospects

If you're considering white-labelling the platform or assessing it under a DPIA, supplier review, or other diligence process, please reach out and we'll happily walk you through:

Architecture diagrams beyond the public System Map
Specific subprocessor DPAs and SCC instruments
Roadmap items not visible on this page (rate-limit thresholds, planned controls, deployment of Cyber Essentials)
A short-form security questionnaire response (SIG-Lite-style) on request
NDA-bound discussion of any control we've described less specifically here

We treat security diligence as a normal part of the sales conversation, not a hurdle. The earlier you raise concerns the easier they are to address.

Contact marco.fiore@cambsfiresafe.com with "Security diligence" in the subject and we'll respond within two working days.

How we handle a request

Data subject requests (access, correction, deletion)

Send an email to marco.fiore@cambsfiresafe.com explaining what you'd like. We'll verify it's really you (some basic identity check), then respond within 30 days — usually much faster for simple requests. Where we have a legal reason to retain something (e.g. records required under fire safety regulations or HMRC), we'll explain that in the response.

Reporting a vulnerability

If you've found a security weakness in any of our tools, please tell us privately rather than disclosing publicly. Email marco.fiore@cambsfiresafe.com with as much detail as you can share (URL, steps to reproduce, screenshots). We'll acknowledge within two working days and keep you updated as we fix it. We don't currently run a paid bounty programme but we'll happily credit you publicly if you'd like.

Suspected incident

If we discover a personal data breach that's likely to result in a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours and notify affected individuals without undue delay, as required by UK GDPR Article 33–34.

Roles and responsibilities

For everything in scope of this page:

Marco Fiore is the operational data protection lead. Direct any data protection question, data subject request, or vulnerability report to marco.fiore@cambsfiresafe.com.
The Information Commissioner's Office (ICO) is the UK supervisory authority. You can complain to them at any time, though we'd appreciate the chance to put things right first. Find them at ico.org.uk.

How this page is kept honest

The status pills above describe the actual state of the system, not aspirations. When we add a control, we move its pill to ✓ Live and update the last-reviewed date at the top. When we discover a gap, we add an ⌛ In progress pill so you know about it.

If you ever read something here that doesn't seem to match your experience, please flag it.

Hub · Privacy · Terms · Cookies · FAQ