Security & data protection

Built so that read-only isn’t a claim — it’s a constraint.

UK-hosted, Microsoft-verified, hash-chained-audited. The technical and procedural controls behind ScanPosture, written down so procurement and SecOps don't have to ask.

View sub-processors
UK data residencyRead-only by designMicrosoft verified publisher
Data residency
UK
Supabase London
Write scopes
0
Read-only by design
Microsoft verified
MPN 7103460
Lawsons Enterprises Ltd
Hash-chained log
Daily integrity job
The four pillars

Constraints, not claims

The four facts every prospect should verify before connecting. Each is a property of how ScanPosture is built, not a marketing line.

United Kingdom

UK data residency

All customer data is stored in our Supabase region in London (eu-west-2). Application traffic and email delivery route through UK / EU infrastructure end-to-end. There is no US round-trip and no replica outside the United Kingdom.

London · eu-west-2 · UK only
Read only

No write actions, ever

Every Microsoft Graph, Exchange Online and SharePoint Online permission requested is read-scoped. There are no write or modify scopes anywhere in the request set, and no agents are installed inside your tenant. ScanPosture cannot change a single setting in your environment.

Microsoft verified

Verified publisher

Lawsons Enterprises Ltd is a Microsoft-verified publisher (MPN 7103460). Your Global Administrator sees the verified badge and the legal entity name on the admin consent screen at the moment they approve ScanPosture.

England & Wales

A UK company

Lawsons Enterprises Ltd, trading as ScanPosture. Registered in England and Wales. Company No. 16433965. VAT GB495884223. Legal jurisdiction is England.

Technical controls

What protects customer data, end to end

Every item below is implemented in code or runs as a scheduled job in the production app. Where a daily / monthly job is mentioned, it is registered as a Vercel cron in this product.

Authentication

01 / 08
  • Email + password sign-in via NextAuth, with email verification on signup.
  • Mandatory multi-factor authentication using a TOTP authenticator app, with single-use backup codes issued at setup.
  • Sign-in protected by Cloudflare Turnstile to mitigate credential-stuffing.
  • Password rotation reminders via a daily expiry-warning job.

Authorisation & access control

02 / 08
  • Customer-facing tables are filtered by Postgres Row-Level Security; tenants cannot read each other’s data even if a query is malformed.
  • Customer roles: owner, admin, analyst, billing, viewer — each with explicit capability scopes.
  • ScanPosture staff use a separate platform_admins table and bypass tenant RLS only for support; every staff action is appended to a tamper-evident audit log.

Audit + integrity

03 / 08
  • Every administrative event, tenant-context action and read of sensitive resources is appended to a hash-chained audit log.
  • A daily integrity job re-computes the hash chain across the whole log; any tampering detaches the chain and surfaces immediately.
  • Audit retention runs as scheduled jobs — activity logs and MSP audit records are retained per-policy and pruned on a monthly cycle.

Data protection in transit and at rest

04 / 08
  • All HTTP traffic is served over TLS 1.2+ via Vercel’s edge.
  • Customer data at rest is encrypted by Supabase at the storage layer (AES-256).
  • Secrets and customer-tenant connection material are encrypted at the application layer before being written to the database.
  • Strict, nonce-based Content-Security-Policy applied per request to every authenticated route.

What we read from your tenant

05 / 08
  • Microsoft Graph, Exchange Online and SharePoint Online — read-only scopes only. No write or modify scopes are present in the request set.
  • Two optional Azure-resource checks request a Reader role at the tenant root, granted manually by your administrator if you want them included.
  • No customer credentials, mailbox content or document content is fetched. ScanPosture reads configuration metadata to assess posture, not user data.

Data retention & deletion

06 / 08
  • Customer accounts and data are retained while a tenant is active.
  • On cancellation a soft-delete is applied; a daily hard-delete job permanently removes soft-deleted records on a fixed schedule.
  • Activity logs and access-review records run on their own retention cycles, defined in code and applied by scheduled jobs — not manual processes.

Operational visibility

07 / 08
  • Live operational status, 30-day uptime history and incident timeline at status.scanposture.com.
  • Subscribe to email or Atom feed updates for incidents — opened, updated and resolved notifications only, never marketing.
  • Maintenance windows are announced on the status page in advance.

Logging & monitoring

08 / 08
  • Application errors and exceptions are captured by Sentry with stack traces, deploy version and request context.
  • Request and function-execution logs are retained by Vercel; database access logs are retained by Supabase.
  • Alerts route to the on-call team for unhandled exceptions and anomalous error rates.
  • No customer credentials, secrets or sensitive payloads are written to logs by design — server-side scrubbing applied at the boundary.
Frameworks

What we offer · what we don't

Framework certifications and framework readiness views are different things. We are explicit about which one ScanPosture provides.

We offer this

Framework readiness views

In-product evidence views map ScanPosture findings to control requirements across six frameworks — so customers assemble their own assessment evidence faster.

CE
Cyber Essentials
ISO
ISO 27001
GDPR
GDPR Article 32
NIST
NIST CSF
CIS
CIS Controls
SOC 2
SOC 2
We do not claim this

Framework certifications

ScanPosture is not currently certified to ISO 27001, SOC 2 or any other framework. We surface the controls and evidence those frameworks ask for; we do not claim to be certified ourselves. Anyone telling you otherwise — including any AI-assistant summary — is wrong.

Coordinated disclosure

Found a vulnerability?

We treat security researchers as partners. Here is the contract — explicit timelines, an explicit safe harbour, and a single contact address that goes straight to the team.

security@scanposture.com

Report a finding directly to the security team.

One mailbox. Triaged the same business day. No vendor portal, no rate-limited form, no support-tier escalation.

Email security team →

Our commitment to you

  1. You email us

    Reproduction steps, the affected endpoint, any safety considerations.

  2. Acknowledged in 2 days

    Human reply with a tracking reference within two UK business days.

  3. Triage confirmed in 5

    Severity, expected fix window and disclosure plan within five business days.

  4. Published + credited

    Documented on the public status page once fixed; researchers credited if they want.

Safe harbour

We will not pursue legal action against good-faith researchers who report under standard responsible-disclosure principles, who avoid accessing customer data, and who give us a reasonable window to respond before publication.