Security

Your data deserves the same protection you do.

Immigration data is some of the most sensitive information you have. We treat it that way — with encryption, strict access controls, and full GDPR compliance.

Encryption at Rest & in Transit

All sensitive data — passport numbers, BRP numbers, NHS and NI numbers — is encrypted with AES-256 at rest. All connections use TLS 1.3 in transit. Passwords are hashed with bcrypt and never stored in plain text.

Secure Infrastructure

Hosted on Vercel with edge-optimised delivery. Database on Neon (cloud PostgreSQL) with automatic backups, point-in-time recovery, and network isolation. No data stored on local or shared servers.

Authentication & Access Control

Industry-standard authentication via NextAuth.js with OAuth providers (Google, GitHub) and email/password. Session tokens with automatic expiry. Role-based access control for all admin operations.

Audit Logging

All sensitive operations are logged with IP address, user agent, and timestamp. Audit logs are retained for 90 days and fully anonymised if you delete your account.

GDPR & Data Protection

Fully compliant with UK GDPR and EU GDPR. Export, correct, or delete all your data at any time. We process only what is necessary under a lawful basis — contract, legitimate interest, or explicit consent.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. We never see or store your full card details. Stripe tokens are used for recurring billing.

Vulnerability Management

Dependencies are monitored for known vulnerabilities with automated alerts. Security patches are applied promptly. Our codebase follows OWASP Top 10 best practices for web application security.

Data Residency

Primary data storage in the EU (Neon Frankfurt region). Sub-processors include Stripe (US/EU), PostHog (EU, consent-gated), and Google/GitHub for OAuth. Full sub-processor list in our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Email: security@vispathai.com

Privacy PolicyTerms of Service