Security & Data Protection
A plain-English summary of the technical and organisational controls protecting your account and personal data. For the full legal terms, see our Privacy Policy.
Last updated: 6 June 2026
Encryption
All traffic uses TLS 1.2+ (HTTPS). Data at rest in our managed Postgres database and object storage is encrypted with AES-256.
Access controls
Admin accounts require multi-factor authentication. Production database access is limited to named operators and audited. Application access is enforced with row-level security policies — users only ever see their own rows.
Backups
The production database is backed up daily with 7-day point-in-time recovery. Restore tests are run quarterly.
Sub-processors
We use a small set of named sub-processors to run the service (hosting, email, payments, AI). The full list is published in our Privacy Policy.
Email security
Outbound email is sent over authenticated channels with SPF, DKIM, and DMARC aligned on our delegated subdomain. Bounce and complaint events feed an auto-suppression list.
Incident response
Our breach runbook commits to triage within 24 hours and notification of affected users and the ICO (where required) within 72 hours of confirming a personal data breach.
Responsible disclosure
If you believe you have found a security vulnerability, please email security@publicsectorsponsorship.co.uk. Please give us reasonable time to investigate and remediate before any public disclosure. We will acknowledge your report within 3 working days.
Live service health is published on our status page. Uptime and response-time targets are documented in the SLA.