Skip to main content
AI Governance Hub
Log inGet started

Security Policy

Our commitment to protecting your data | Last updated: 10 April 2026

Our Security Commitment

At AI Governance Hub, security is not an afterthought—it's fundamental to everything we build. We understand that you're trusting us with sensitive compliance data, and we take that responsibility seriously.

This page outlines our security practices, infrastructure, and policies. We believe in transparency and want you to understand exactly how we protect your data.

Security Principles

Security by Design

Security is built into every layer of our architecture from day one, not bolted on later.

Zero Trust Architecture

Every request is authenticated and authorized. No implicit trust based on network location.

Data Sovereignty

Your governance data is stored in UK/EU data centers. Where data is transferred outside the UK/EU (for example, to AI service providers), appropriate safeguards are in place.

Continuous Monitoring

Automated monitoring for uptime, performance anomalies, and security events, with alerting to our team.

Infrastructure Security

Hosting and Network

  • Hosting Provider: Vercel (Enterprise-grade infrastructure with SOC 2 Type II, ISO 27001)
  • Database: Supabase (PostgreSQL) hosted in UK/EU data centers
  • CDN: Global edge network with DDoS protection and WAF (Web Application Firewall)
  • Uptime Target: 99.5% availability (target)

Data Encryption

  • At Rest: AES-256 encryption for all data stored in databases and file storage
  • In Transit: TLS 1.2+ (HTTPS only, no insecure HTTP connections allowed)
  • Backups: Encrypted backups taken every 24 hours, retained for 30 days
  • Passwords: Bcrypt hashing with unique salts per user (Supabase Auth defaults)

Application Security

Authentication and Authorization

  • Authentication: Supabase Auth with industry-standard JWT tokens
  • Session Management: Secure, HTTP-only cookies with 24-hour inactivity timeout
  • Password Requirements: Minimum 8 characters, complexity enforced
  • Password Reset: Secure token-based reset with email verification
  • Row-Level Security (RLS): Database-enforced access control ensuring users can only access their own data
  • Role-Based Access Control (RBAC): Admin, Editor, Viewer roles with granular permissions

Input Validation and Sanitization

  • Server-Side Validation: All user input validated using Zod schemas before processing
  • XSS Protection: React's built-in escaping + Content Security Policy headers
  • SQL Injection Prevention: Parameterized queries only, no raw SQL with user input
  • CSRF Protection: SameSite cookie policy on all session cookies
  • File Upload Validation: File type and size validation on all uploads

Security Headers

We enforce strict security headers on all HTTP responses:

  • X-Frame-Options: DENY (prevents clickjacking)
  • X-Content-Type-Options: nosniff (prevents MIME sniffing attacks)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: Disables camera, microphone, geolocation
  • Content-Security-Policy: Restricts script sources (in progress — Phase 4)

Third-Party Security

Sub-Processors and Vendors

We carefully vet all third-party services that handle your data:

VendorPurposeCertifications
SupabaseDatabase, Auth, StorageSOC 2 Type II, ISO 27001, GDPR
StripePayment ProcessingPCI-DSS Level 1, SOC 2, ISO 27001
VercelHosting, CDNSOC 2 Type II, ISO 27001
ResendTransactional EmailGDPR-compliant
PostHogAnalyticsGDPR, SOC 2 (privacy-preserving)

Access Controls

Employee Access

  • Principle of Least Privilege: Team members have access only to systems necessary for their role
  • Production Access: Strictly limited and logged. Database access requires multi-factor authentication
  • Audit Logging: All administrative actions logged with timestamps and user identification

Customer Data Access

  • We do not access your data without a legitimate support reason
  • Any access to customer data by our team is logged with timestamps
  • We do not share your data with third parties except as set out in our Privacy Policy

Security Testing and Audits

Current Practices

  • Automated Security Scanning: Dependency vulnerability scanning (GitHub Dependabot)
  • Code Review: All code changes reviewed before deployment
  • Automated Testing: Unit tests, E2E tests, accessibility tests, and security header tests integrated into our deployment pipeline
  • OWASP Top 10: Regular testing against OWASP security risks (XSS, SQLi, CSRF, etc.)

Planned Audits (Phase 4-5)

  • Penetration Testing: Annual third-party penetration tests (Q3 2026)
  • SOC 2 Type II: Certification planned for 2027 (subject to revenue targets)
  • Cyber Essentials Plus: UK government-backed certification (Q4 2026)

Incident Response

Security Incident Procedure

In the event of a security incident:

  1. Detection: Automated monitoring alerts our team to potential incidents
  2. Containment: Affected systems isolated as quickly as reasonably practicable
  3. Investigation: Root cause analysis and impact assessment
  4. Notification: Where a breach poses a high risk to individuals, affected customers are notified without undue delay in accordance with UK GDPR Article 34. The ICO is notified within 72 hours where required under UK GDPR Article 33.
  5. Remediation: Vulnerabilities patched and systems restored
  6. Post-Incident Review: Lessons learned and preventative measures implemented

Data Breach Notification

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, including:

  • Nature of the breach
  • Categories and approximate number of affected records
  • Likely consequences
  • Measures taken to address the breach
  • Contact information for further inquiries

Backup and Disaster Recovery

  • Backup Frequency: Automated daily backups at 02:00 UTC
  • Retention: 30-day backup retention
  • Encryption: All backups encrypted with AES-256
  • Testing: Periodic backup restore verification

Compliance and Certifications

Current Compliance

  • UK GDPR: We process personal data in accordance with UK GDPR. A Data Processing Agreement is available at aigovernancehub.uk/dpa.
  • Data Protection Act 2018: UK data protection obligations applied
  • WCAG 2.2 Level AA: Accessibility target — see our Accessibility Statement

Planned Certifications

  • Cyber Essentials Plus: Q4 2026
  • SOC 2 Type II: 2027 (revenue-dependent)
  • ISO 27001: 2027-2028 (long-term goal)

Responsible Disclosure

Vulnerability Reporting

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please:

  1. Email security@aigovernancehub.uk with details
  2. Do NOT publicly disclose the vulnerability before we've had a chance to fix it
  3. Provide sufficient information to reproduce the issue
  4. Allow us 90 days to investigate and remediate before public disclosure

Bug Bounty Program

We do not currently offer a bug bounty program but plan to launch one in Phase 5 (June 2026). Responsible researchers who report valid vulnerabilities will be acknowledged in our Security Hall of Fame (with permission).

Your Security Responsibilities

Security is a shared responsibility. We ask that you:

  • Use a strong, unique password for your account
  • Enable multi-factor authentication when available (planned for Phase 4)
  • Do not share your account credentials with others
  • Log out from shared devices
  • Report suspicious activity immediately
  • Keep your devices and browsers up to date

Contact Security Team

For security-related inquiries, vulnerability reports, or incident notifications:

Email: security@aigovernancehub.uk
Address: AI Governance Hub, c/o ITNextGen Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Expected Response Time: 24 hours for critical issues, 72 hours for non-critical inquiries

Policy Updates

This Security Policy may be updated to reflect changes in our security posture, infrastructure, or compliance requirements. Material changes will be communicated via email 30 days in advance.