Security.

The product is operated by a single person on a hosted PaaS (Railway) using their managed Postgres and Redis. There is no 24×7 on-call rotation, no formal change-management, and no third-party security audit. Treat the service accordingly: upload only data you would be comfortable losing or re-keying.

The current production region is set by the hosting provider (Railway) and is not guaranteed to be UK-resident. UK residency is a goal once we move to a dedicated infrastructure tier; today, we don't make that promise. If UK residency is a hard requirement for you, please don't use the beta for production data.

All traffic to and from the service runs over TLS (managed by our edge provider). At rest, the database and cache are encrypted by the hosting platform's default disk encryption. We don't currently manage our own keys. Session cookies are signed (HMAC) by an environment-scoped secret.

Production credentials are held by the project owner only. There is no team yet, no SSO, and no hardware-key requirement. Routine access for debugging is via the hosting provider's web console with the owner's account.

Only what you upload (CSV/XLSX rows + the enrichment we produce), your sign-up email, and basic request logs. We don't run advertising or analytics tags. The only cookie we set is an essential session cookie. PII fields in our logs (postcodes, CRNs, names, emails) are hashed before they hit structured-log storage.

If you find a security issue, please email security@rowinsight.com. As a beta we can't commit to a formal SLA on acknowledgement, but we read this address daily and will reply. Please don't test against accounts that aren't yours and don't use social engineering on the operator.

• Not SOC 2 Type II certified.
• Not yet ICO-registered (planned once a UK Ltd is incorporated).
• Not yet covered by a signed DPA — available on request once we have a registered entity to sign as.
• Not redundant across regions; a hosting outage takes the service offline.