Security Overview
At ResponseHub, we understand that security is paramount when handling your company’s sensitive policy documents and security questionnaires. This overview describes our comprehensive approach to protecting your data and maintaining the security of our platform.
Infrastructure Security
Hosting and Data Centers
- Primary Infrastructure: DigitalOcean App Platform (AMS3 region, Netherlands)
- Data Residency: All customer data is stored and processed exclusively within Europe
- Geographic Redundancy: Automated backups and disaster recovery within EU regions
Network Security
- DDoS Protection: Multi-layer DDoS mitigation via Cloudflare and DigitalOcean
- Web Application Firewall (WAF): Active threat detection and blocking through Cloudflare
- Encryption in Transit: All data transmissions use TLS 1.2 or higher
- Encryption at Rest: All customer data encrypted using industry-standard AES-256 encryption
Backup and Disaster Recovery
- Continuous Protection: Point-in-time recovery available for 7 days
- Data Retention: 30-day data export availability post-account termination
Application Security
Access Controls
- Multi-Factor Authentication (MFA): Available for all user accounts
- Session Management: Automatic timeout for inactive sessions
- Role-Based Access: Granular permissions within customer accounts
Development Security
- Secure Development Lifecycle: Security considerations integrated into all development phases
- Code Reviews: All code changes undergo peer review before deployment
- Dependency Management: Automated vulnerability scanning via Dependabot
- Security Updates: Critical patches applied within 48 hours of release
AI and Data Processing
- Zero-Training Guarantee: Your data is never used to train AI models
- Isolated Processing: Each customer’s data is processed in isolation
- AI Partners: AWS Bedrock and Mistral AI with contractual data protection agreements
- No Special Category Data: Platform prohibits processing of sensitive personal data categories
Operational Security
Monitoring and Incident Response
- 24/7 Monitoring: Continuous application and infrastructure monitoring via AppSignal
- Security Incident Response: Defined procedures with 72-hour breach notification commitment
- Audit Logging: Comprehensive activity logs for security investigations
- Threat Detection: Proactive monitoring for suspicious activities and anomalies
Vulnerability Management
- Automated Scanning: Continuous dependency vulnerability scanning via Dependabot
- Patch Management: Regular security updates and patch deployment schedule
- Penetration Testing: Commitment to annual third-party penetration testing starting Q1 2026
Employee Security
- Access Control: Principle of least privilege for all staff access
- Confidentiality Agreements: All employees bound by strict confidentiality obligations
- Security Training: Regular security awareness training for all team members
- Support Access: Time-limited, logged access only when necessary for customer support
Compliance and Certifications
Current Compliance
- GDPR Compliance: Full compliance with UK and EU GDPR requirements
- Data Processing Agreement: Comprehensive DPA available for all customers
- Privacy by Design: Privacy and security built into our platform architecture
- CCPA/CPRA Ready: Compliance with California privacy regulations
Planned Certifications
- Cyber Essentials: Committed to achieving certification by end of 2025
- Penetration Testing: Third-party penetration testing scheduled for Q1 2026
Legal Framework
- UK Registered Company: Company Number 15845409
- EU Data Processing: Primary processing within the Netherlands
- International Transfers: Appropriate safeguards including UK IDTA and EU SCCs where required
- Subprocessor Management: Vetted subprocessors with strict data protection agreements
Data Protection
Data Segregation
- Logical Separation: Multi-tenant architecture with strict data isolation at the application level
- Tenant Isolation: Every database query automatically scoped to your organization
- No Data Commingling: Your data is never accessible to other customers
- Access Controls: Application-level enforcement prevents cross-tenant data access
- Secure APIs: Rate-limited, authenticated APIs with encrypted communications
Data Control
- Data Ownership: You retain full ownership of all your data
- Export Capabilities: Export your data anytime in standard formats (JSON, CSV, PDF)
- Deletion Rights: Immediate deletion available through the platform
- Portability: Full data portability in machine-readable formats
Third-Party Security
Subprocessor Security
All our subprocessors undergo rigorous security evaluation:
| Service | Purpose | Location | Security Standards |
|---|---|---|---|
| DigitalOcean | Infrastructure | Netherlands | ISO 27001, SOC 2 |
| AWS | AI Processing, Storage | EU Regions | ISO 27001, SOC 2, PCI DSS |
| Mistral AI | AI Processing | France | ISO 27001, SOC 2, GDPR Compliant |
| Stripe | Payment Processing | UK/EU | PCI DSS Level 1, SOC 2 |
| Cloudflare | CDN, WAF, DDoS | Global (EU Processing) | ISO 27001, SOC 2 |
Supply Chain Security
- Vendor Assessment: Security evaluation for all new vendors
- Contractual Safeguards: Data protection agreements with all subprocessors
- Regular Reviews: Annual review of all third-party security postures
Security Best Practices for Customers
To maximize security, we recommend customers:
- Enable Multi-Factor Authentication for all users
- Regularly review and update user access permissions
- Use strong, unique passwords for all accounts
- Promptly deactivate accounts for departed employees
- Regularly export and backup critical data
- Avoid uploading special category personal data
Transparency and Communication
Security Updates
- Status Page: Real-time platform status and incident updates
- Security Notices: Proactive communication about security matters
Contact and Reporting
- Security Inquiries: hello@responsehub.ai
- Support: support@responsehub.ai (24-hour response time for security issues)
- Vulnerability Reporting: Please report security vulnerabilities to hello@responsehub.ai
Our Security Commitment
We are committed to continuous security improvement:
- Regular security assessments and updates
- Investment in security tools and technologies
- Ongoing team security training and awareness
- Transparent communication about our security practices
- Cyber Essentials certification by end of 2025
- Third-party penetration testing scheduled for Q1 2026
Questions?
If you have specific security requirements or questions not addressed in this overview, please contact us at hello@responsehub.ai. We’re happy to discuss your security needs and provide additional information, including:
- Completion of security questionnaires
- Security architecture discussions
- Custom security requirements for enterprise customers
Last Updated: August 2025
Version: 1.0