Trust centre
Trust at Perpetua
Where the data comes from, where it lives, and how we secure it. This page is the single source for security questionnaires, procurement reviews, and anything else a buyer needs to evaluate Perpetua.
Data sourcing & provenance
- 100% Companies House — UK public filings under the Open Government Licence v3.0.
- XBRL-first extraction — every financial figure is parsed from a tagged filing, not scraped or inferred.
- Provenance preserved — every metric tracks the source filing, XBRL tag, scale, and context reference.
Compliance & certifications
- SOC 2 Type II — audit in progress. Reports available on request once the audit period closes.
- ISO/IEC 27001 — on roadmap.
- UK GDPR & EU GDPR — see the Privacy Policy for data subject rights and retention windows.
Hosting & data residency
- Application — Vercel, EU + UK edge.
- Database — Supabase, EU region (Frankfurt).
- No egress outside the UK / EU for customer or account data.
Subprocessors
We rely on a small number of vendors to deliver the service. Each is evaluated for data residency, encryption, and compliance posture before adoption.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Authentication + Postgres database | EU (Frankfurt) |
| Vercel | Frontend hosting + edge functions | EU + UK edge |
| Stripe | Payment processing (when billing ships) | EU / UK |
| Companies House | Public source data (OGL v3.0) | UK |
Security practices
- TLS 1.3 in transit — HSTS enforced on all customer-facing endpoints.
- Encryption at rest — AES-256, managed by the database provider.
- Sessions — signed HTTP-only cookies with short-lived in-memory user validation.
- API keys — hashed before storage. The raw key is shown once at issuance and never stored in plaintext.
- Least privilege — service role keys never reach the browser; admin endpoints are gated behind a separate secret.
Reporting a vulnerability
If you believe you've found a security issue, please email security@perpetua.uk. We acknowledge reports within two business days and operate a 90-day coordinated-disclosure window. Please do not file a public issue or test against other customers' data.
System status
Live health is reported by the footer indicator on every page and exposed at /api/health. SOC 2 reports, penetration test summaries, and prior incident write-ups are available to customers on request.