UK hosted.
UK supported.
Boring on purpose.
Worker names, medical notes, subbie details, photos at the gate — they are all personal data. Treating security as an afterthought is how breaches happen. Access follows role, activity is logged, and your team can explain who saw what and why, on the day someone asks.
Six things UK firms
actually ask us.
GDPR is broad. In practice, construction firms ask us for a short list of assurances. Here is how we address them — the security pack expands every line on request.
UK data residency
AWS eu-west-2 (London). Data does not leave the United Kingdom. No third-party trackers, ad-tech or analytics brokers. Sub-processors listed in the DPA.
Regioneu-west-2Encryption
AES-256 at rest. TLS 1.3 in transit. Keys rotated quarterly. Backups encrypted, off-site, retained 35 days, restorable to the minute.
StandardNIST-alignedAccess & SSO
Single sign-on with Microsoft 365 and Google Workspace. Optional MFA. Role-based permissions go to field level. Audit log unfakeable.
PatternsSSO · MFA · RBACAudit trail
Every event — sign-off, edit, status change — writes a signed entry with user, device, IP and timestamp. Append-only. The chain of custody a regulator accepts.
Modeappend-onlyGDPR by default
ICO registered. You are the controller for your staff and subbies. We are the processor under your instructions. DPA on the standard contract — not behind a sales call.
Statuscontroller / processorFrameworks
Cyber Essentials Plus held. ISO 27001 in progress. Penetration tested annually by a CREST-accredited firm. The security pack covers the lot.
HeldCE+ · ICO