crossrisk×

How We Store Your Data and Keep It Secure

Your security is our priority. Learn about our comprehensive approach to protecting your sensitive information.

Our Commitment to Security

As a security risk management platform, we understand the sensitive nature of the information you entrust to us. We employ industry-leading security practices and technologies to ensure your data remains confidential, secure, and available when you need it.

Data Storage Infrastructure
Enterprise-grade database hosting

We use Supabase, a secure PostgreSQL database platform built on enterprise-grade infrastructure with:

  • ISO 27001 certified data centres
  • SOC 2 Type II compliance
  • Automatic daily backups with point-in-time recovery
  • 99.9% uptime SLA guarantee
  • Data residency options for regional compliance
Encryption at Rest
Your data is encrypted when stored

All data stored in our databases is encrypted at rest using:

  • AES-256 encryption standard (via Supabase)
  • Database-level encryption with automated key management
  • Encrypted file storage for assessment reports
  • Separate data isolation per organisation
Encryption in Transit
Protected data transmission

All data transmitted between your browser and our servers is encrypted using:

  • TLS 1.3 (Transport Layer Security)
  • Perfect forward secrecy
  • HSTS (HTTP Strict Transport Security) enforcement
  • Secure WebSocket connections for real-time features
Authentication & Access Control
Strict identity verification

We implement robust authentication mechanisms:

  • Secure password hashing with bcrypt
  • Email-based authentication with magic links
  • Session-based authentication with secure cookies
  • Automatic session expiration
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) support (planned)
  • OAuth 2.0 integration for enterprise SSO (planned)
Privacy & Data Isolation
Your data stays separate and private

We ensure complete data isolation through:

  • Row-level security (RLS) policies in the database
  • Organisation-scoped data access
  • API request authentication and authorisation
  • Private file storage with signed URLs
  • No data sharing between organisations
  • Secure deletion and data purging capabilities
Security Monitoring & Auditing
Continuous security oversight

We actively monitor and audit our systems:

  • Real-time security event monitoring (via Supabase)
  • Comprehensive audit logs for all data access
  • Automated threat detection and alerting
  • Regular security vulnerability scanning
  • Infrastructure protected by enterprise-grade security operations
Infrastructure Security
Protected hosting environment

Our hosting infrastructure includes:

  • DDoS protection and mitigation
  • Web application firewall (WAF)
  • Intrusion detection and prevention systems
  • Network isolation and segmentation
  • Regular security patching and updates
  • Redundant systems for high availability
Incident Response
Prepared for security events

We maintain a comprehensive incident response plan:

  • Documented security incident response procedures
  • Dedicated security incident reporting channels
  • Prompt notification of affected users as required by law
  • Post-incident analysis and remediation
  • Leveraging infrastructure provider's enterprise security response

Data Backup and Recovery

We maintain comprehensive backup and disaster recovery procedures to protect against data loss:

  • Automated backups: Daily automated backups of all data via Supabase
  • Point-in-time recovery: Database recovery capabilities provided by our hosting infrastructure
  • Geographic redundancy: Backups stored across multiple availability zones
  • Backup encryption: All backups encrypted with the same standards as production data
  • Infrastructure reliability: Built on enterprise-grade database infrastructure with high availability

Compliance and Certifications

We adhere to industry standards and regulatory requirements:

  • GDPR & UK GDPR: Designed for compliance with EU and UK data protection requirements
  • Infrastructure Certifications: Hosted on ISO 27001 and SOC 2 Type II certified platforms (Supabase, Vercel)
  • NCSC Guidelines: Following National Cyber Security Centre best practices
  • Data Protection Principles: Built with privacy by design and data minimisation

Third-Party Security

We carefully vet all third-party service providers that process data on our behalf:

  • Due diligence security assessments before engagement
  • Data processing agreements (DPAs) with all vendors
  • Regular security reviews of third-party services
  • Minimal data sharing—only what's necessary for service provision
  • Vendor security certification requirements

Our primary third-party service providers include:

  • Supabase: Database, authentication, and file storage (ISO 27001, SOC 2 Type II)
  • Vercel: Application hosting and CDN (SOC 2, ISO 27001)

Your Responsibilities

Whilst we implement robust security measures, you also play an important role in keeping your data secure:

  • Keep your email account secure as it's used for authentication
  • Never share magic link emails or forward them to others
  • Use a secure email provider with strong authentication
  • Be cautious of phishing attempts pretending to be login links
  • Log out from shared or public devices after use
  • Report any suspicious activity or unexpected login emails immediately
  • Keep your contact information up to date for security notifications
  • Regularly review user access within your organisation
  • Educate your team members about security best practices

Data Retention and Deletion

We retain your data only as long as necessary for legitimate business purposes:

  • Active accounts: Data retained whilst your account is active
  • Assessment data: Retained for regulatory compliance periods (typically 7 years)
  • Backup data: Automatically purged after 30 days
  • Account deletion: Personal data deleted within 30 days of account closure request
  • Secure deletion: All data securely overwritten to prevent recovery

You can request deletion of your data at any time by contacting us at privacy@crossrisk.io.

Transparency and Updates

We believe in transparency about our security practices:

  • Regular security updates and improvements
  • Public disclosure of security incidents (when applicable)
  • Annual security audit reports available upon request
  • Security white papers and documentation
  • Open communication about our security posture

This page is updated regularly to reflect our current security practices. Last reviewed: 9 February 2026.

Questions or Concerns?

If you have questions about our security practices or wish to report a security concern, contact us via email at privacy@crossrisk.io:

For our full privacy practices, please see our Privacy Policy.