Security & Compliance You Can Trust
We are committed to protecting your data and meeting the highest standards for privacy and security. Our practices align with GDPR and UK GDPR, with customer data held in the EU/UK.
Compliance
UK GDPR
Compliant
UK General Data Protection Regulation
Cyber Essentials
In progress
UK government-backed baseline security certification
Public Policies
Security Overview
We use industry-standard encryption for data in transit (TLS) and at rest. Access to systems and customer data is restricted by role-based access controls, and all access is logged for audit. Our infrastructure is hosted in the EU/UK so that customer data stays within these regions.
We continuously monitor our systems for security events and respond to incidents according to our incident response process. Third-party sub-processors are selected with data protection in mind.
If you have specific security or compliance questions, we are happy to provide more detail. Contact us at security@scorehq.io.
Sub-Processors Register
We use the following sub-processors to operate SCORE.
| Provider | Purpose | Location |
|---|---|---|
| Mailgun (Sinch Email) | Email delivery (transactional emails, report delivery) | EU (Germany) |
| Heroku (Salesforce) | Application hosting and platform services | EU |
| Amazon Web Services (AWS) | Cloud infrastructure, storage, and compute | UK (London / eu-west-2) |
| Mistral AI | AI/ML services (e.g. report assistance, extraction) | EU |
| Sentry | Error monitoring and performance monitoring | EU |
This list is updated as we add or change sub-processors. For the latest register, contact security@scorehq.io.
Data Protection
We collect and use personal data only as needed to provide and improve SCORE, and as described in our Privacy Policy. We do not sell your data. Data is retained only for as long as necessary for the purposes set out in our policy or to meet legal obligations.
Under UK GDPR you have rights including: access to your data, correction, erasure (where applicable), restriction of processing, data portability, and the right to object. You also have the right to lodge a complaint with a supervisory authority. For more detail and how to exercise these rights, see our Privacy Policy.
AI Processing
SCORE users opt in to AI features. When you use AI-assisted functionality, we process data only for the purposes you have agreed to. Our AI provider (Mistral AI) does not retain your data or use it to train their models; processing is carried out under our data processing agreement with no retention or training use by the third party.
Companies can optionally opt into AI quality-control (QC) improvements. Where that option is enabled, we may use limited data to improve AI QC features. Training data retention for that purpose is limited and handled in line with our Privacy Policy.
For full detail on AI processing, lawful bases, and your rights, see our Privacy Policy – AI and Automated Decision-Making.
Infrastructure & Security
- Data residency: Customer data is stored in the EU/UK. We use the UK (London) region for AWS and EU/UK regions where available from our other providers.
- Backup and recovery: We back up data regularly and have procedures to restore services in the event of failure or incident.
- Security monitoring: We monitor our systems and applications for suspicious activity and respond to security events in line with our incident response process.
Security Contact
For security and compliance enquiries, vulnerability reports, or to request the latest sub-processor register, contact our security team.
To report a vulnerability, please email the above address with details. We will acknowledge receipt and respond in line with our security process.
For general support or product questions, use hello@scorehq.io or your usual support channel.