Trust

How we keep your data safe

Written so a CQC-regulated buyer's due-diligence checklist can be completed from one page. If anything is not here that your procurement team needs, email hello@verivius.co.uk and we will answer in writing.

Last updated 21 May 2026

Where your data lives

Customer data is stored in the European Union. Customer data does not leave the EU in normal operation. The full list of named sub-processors (the third-party services we use to host, send email from, and operate the platform) is published in the Privacy Notice for your procurement team to review.

Who can access your data

Inside your provider account, only users you have invited and assigned roles to can read records. Role-based access controls govern what each user can do (Owner, Admin, Editor, Viewer, with location-scoped variants for multi-location providers).

Verivius staff can access customer data only under documented circumstances: investigating a customer-reported support issue at the customer's request, responding to a security incident, or where required by law. Every Verivius access to a customer's data is logged in an audit trail that is available to the customer on request.

For Mock Inspection engagements, the consultant doing the assessment is granted a time-bounded Viewer role for the duration of the engagement and loses access automatically the day the engagement closes. This is a tracked event in the audit log.

Encryption

Your data is encrypted while it travels between your browser and our platform, and between our platform and every system we use to store or process it. The standard we use is TLS 1.3 across all those connections. Data at rest, in our database, is encrypted using AES-256.

Passwords are never stored in plain text; they are one-way hashed before storage. Payment card details are handled entirely by our payments provider; Verivius itself never sees card numbers.

Authentication

Customers can enable multi-factor authentication on their account; TOTP via standard authenticator apps. We recommend MFA for all Owner and Admin roles.

Sessions are time-bounded. Sensitive actions (changing subscription, deleting tenant, exporting data) require re-authentication. Failed-login attempts are rate limited at the Supabase Auth layer.

Backups and data retention

The Supabase Postgres instance is backed up continuously, with point-in-time recovery available within the retention window provided by Supabase's standard plan.

Retention while you are an active customer: indefinite for workspace data, per your provider's own retention policy. After account closure: 30 days available for export, then permanent deletion. Account data is retained for 6 years after account closure for audit and legal purposes. Full retention table is in the Privacy Notice.

Breach notification

If we become aware of a personal data breach affecting your workspace data, we will notify you within 36 hours of becoming aware. This is tighter than the 72-hour ICO regulator deadline that we, as processor, are bound by, so the customer (as controller) has runway to make their own ICO and data-subject notification decisions. The notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take.

Your right to export

Every customer can export all of their workspace data at any time, in a format that satisfies the UK GDPR Article 20 right of data portability. The export is owner-only and covers every register, every record, every evidence document, every audit-log entry, and every related metadata field. There is no charge and no waiting period.

Safeguarding

Verivius personnel are expected to recognise and act on safeguarding concerns that arise during on-site engagements or records review. Our written commitment to safeguarding children and adults at risk, including the escalation route and how to raise a concern with us directly, is set out on the safeguarding commitment page.

Sub-processor changes

If we plan to add a new sub-processor, we will give customers at least 30 days notice before onboarding. Customers can object during that window. The current sub-processor list is published in the Privacy Notice and changes will be communicated by email to the billing-contact and Owner roles on each account.

What happens if Verivius ceases trading

This is a reasonable question and one we expect from procurement teams. If Verivius Ltd ceases operating, every customer will receive at least 90 days notice in writing. During that window, the export function described above remains available, and customers retain the right to extract their full data set in the portable format. We will assist with handover to any successor platform of the customer's choosing.

The Companies Act 2006 governs the wind-up process for Verivius Ltd; data-processor obligations under UK GDPR continue through any wind-up.

Reporting a security issue

If you believe you have found a security vulnerability in Verivius, please email hello@verivius.co.uk with the subject line "Security" and a description of the issue. We will acknowledge within 3 working days and aim to triage within 5 working days. We do not yet run a formal bug bounty programme; responsible disclosure is rewarded with public credit (with your permission) and our genuine thanks.

Please do not publish the vulnerability until we have had time to investigate and fix it.

Current compliance posture

Verivius Ltd's own compliance status, kept honest and live. The page below reads from a single source of truth in the codebase, so the moment an item completes (Cyber Essentials certificate arrives, insurance binds, DPIA is signed off) the dates ripple through every surface that shows them.

ICO data controller registration. Tier 1. Reg. ZC144284.Complete · 2026-05-21
Cyber Essentials Basic certification. IASME scheme.In progress · target 2026-06-15
Data Protection Impact Assessment (Mock Inspection processing). Founder-drafted; solicitor review folded into the engagement-letter pack.Draft
Cyber liability + professional indemnity insurance. £1,000,000 PI + £1,000,000 cyber + £1,000,000 public liability.Pending · target 2026-06-30

Status reflects the controller's (Verivius Ltd) compliance position. Customer data continues to be processed under the existing controls described above. Updates are made to src/lib/brand/constants.ts as items complete; this page surfaces the live state.

What we do not yet have

Honest about the gaps a procurement team will look for.

SOC 2 / ISO 27001 certification. Not yet. For a small early-stage software business, the cost of these certifications (typically £25,000+ per year) exceeds the current revenue. We will pursue ISO 27001 in 2027 once customer revenue supports it. In the meantime, the controls described on this page are the same controls we would document for either certification.
Customer-specific penetration test reports. Not yet. We run automated security scanning as part of the build pipeline; a formal third-party pen test is planned for Q4 2026. Once complete, the executive summary will be available under NDA to procurement teams that ask.
HIPAA business associate agreement. Not applicable. Verivius is a UK-only product serving CQC-regulated providers in England; we do not enter into US healthcare regulatory frameworks.

For procurement teams

If this page does not cover something on your due-diligence questionnaire, send the questionnaire to hello@verivius.co.uk and we will return it answered in writing within 5 working days. For deeper diligence we can also offer a 30-minute call to walk through the controls with the founder.

Request a 30-minute conversation Read the Privacy Notice

Common questions: see the Data and security section of the FAQ.