Trust

Security & Trust

How we protect your data and maintain institutional-grade security.

UK GDPRICO RegisteredTLS 1.3 AES-2562FA EnforcedInsuredDPA Available

Information security framework

Our operational security controls are aligned with the ISO/IEC 27001 control families and the NIST Cybersecurity Framework. Cyber Essentials Plus accreditation is in active pursuit, with target completion through 2026. ISO/IEC 27001 certification is on our 2026–2027 roadmap.

Infrastructure security

Protected by Cloudflare — DDoS protection, WAF, bot management, global CDN. All traffic encrypted in transit with TLS 1.3. Data at rest encrypted using AES-256 where we control the storage layer; provider-native equivalent encryption where storage is managed by our sub-processors.

Data protection

ICO-registered (ZA564668). UK GDPR, EU GDPR, and DPA 2018 compliant. We provide a Data Processing Agreement for all client engagements, reflecting GDPR Article 28 requirements.

For institutional engagements with cross-jurisdiction scope, our DPA also accommodates Brazilian LGPD, Mexican LFPDPPP, and EU Standard Contractual Clauses where applicable.

Data minimisation, documented retention policies (configured per engagement), and annual staff training.

Access control

Least-privilege access principles, 2FA / MFA required on all infrastructure and administrative accounts, role-based controls for client environments. All access logged and reviewed.

Backup and recovery

Sanity content — continuously versioned (every save creates immutable history); point-in-time recovery to any prior state
Database (Supabase) — daily automated backups retained for 7 days (Pro tier default); additional snapshot exports to Cloudflare R2 on a 30-day rolling retention window for regulatory record-keeping
Code — Git history mirrored to GitHub with branch protection
Infrastructure configuration — provider-native configuration captured per brand, including deployment scripts, environment variable manifests, and rebuild runbooks

Recovery objectives (per component): Cloudflare CDN/DNS — 1 hour RTO; Sanity content — 1 hour RTO with sub-1-minute RPO; Supabase database — 4 hours RTO with 24 hours RPO (sub-5-minute RPO available via Supabase PITR add-on, passed through at cost). Full functionality — 24 hours RTO.

Restore validation: annual restore drills across the managed estate to validate backup integrity. Per-engagement quarterly drills available on request as part of priority support, at additional cost.

Encryption: all backup data stored in Cloudflare R2 is encrypted at rest using AES-256. Backups in transit between providers and R2 use TLS 1.3.

Incident response

Documented incident response plan covering identification, containment, eradication, recovery, and post-incident review. Personal data breaches affecting client data are reported to affected clients without undue delay and in any event within 72 hours of becoming aware of the breach, in compliance with UK GDPR Article 33 and our DPA Section 7.

P1 incidents trigger a written post-mortem to the client within 10 Business Days of resolution.

Compliance

UK GDPR and DPA 2018
PECR (Privacy and Electronic Communications Regulations)
WCAG 2.2 Level AA (web accessibility)
Equality Act 2010 and accessibility regulations
UK Bribery Act 2010 (see Code of Conduct)
Modern Slavery Act 2015 (voluntarily published — see Modern Slavery Statement)

For Latam-scope engagements: alignment with Brazilian LGPD and Mexican LFPDPPP.

Full documentation on request via security@builtbygo.com.

Sub-processors

We publish our complete sub-processor register at builtbygo.com/subprocessors — including Cloudflare, Railway, Supabase, Sanity, Resend, PostHog, Sentry, Better Uptime, DeepL, and our conditional AI sub-processors (governed by our AI Usage Policy).

We notify clients at least 30 days before adding any new sub-processor, with a 14-day objection window.

Insurance

Professional Indemnity: £2,000,000
Public Liability: £2,000,000
Cyber Liability: £1,000,000
Employer's Liability: £10,000,000

Certificates available for procurement and risk-team review on execution of NDA or MSA. Contact: legal@builtbygo.com.

Penetration testing

Annual third-party penetration testing of infrastructure and applications, with annual cadence targeted by Q4 2026 alongside Cyber Essentials Plus certification. Responsible disclosure welcomed at any time — see our Vulnerability Disclosure Policy.

AI usage

We use AI tools internally to improve quality, speed, and consistency in our development work. Production personal data is never passed to AI APIs without prior anonymisation. AI-assisted internal tooling is listed as a conditional sub-processor in our register. See our AI Usage Policy for the full operational rules.

Vulnerability disclosure

Report security issues to security@builtbygo.com. See our Vulnerability Disclosure Policy for the full disclosure framework, including safe harbour for good-faith research.

For RFC 9116 automated discovery: /.well-known/security.txt

Contact

General security enquiries: security@builtbygo.com
Privacy and data protection: privacy@builtbygo.com
Legal and contractual: legal@builtbygo.com
Procurement enquiries: procurement@builtbygo.com

Document last reviewed: 3 May 2026. Reviewed at least annually and on material change.