Security at the Core of Everything We Do

cecureid is built on enterprise cloud infrastructure, with all data hosted in the United Kingdom to ensure UK data residency. Our architecture is fully serverless, which means:

• No servers to patch, maintain, or harden — our cloud provider manages the underlying infrastructure
• Automatic scaling to handle demand without manual intervention
• Multi-AZ (Availability Zone) resilience for high availability
• Reduced attack surface compared to traditional server-based deployments

• Encryption at rest: All data is encrypted using AES-256 with enterprise-grade managed encryption keys
• Encryption in transit: All communications are protected with TLS 1.2 or higher
• Tenant data isolation: Data is logically isolated using partition key scoping — every query is scoped to the authenticated tenant
• Point-in-time recovery: Continuous database backups enable restoration to any second within the last 35 days
• Object versioning: Secure storage versioning protects against accidental deletion or overwrites of uploaded documents

• Authentication: Enterprise identity management with multi-factor authentication (MFA) support
• Role-based access control (RBAC): Five role levels — Super Admin, Admin, Manager, Staff, and Public — with granular permissions
• JWT-based authentication: Stateless, cryptographically signed tokens verified on every request
• Session management: Token rotation with short-lived access tokens and secure refresh token handling
• Tenant isolation: Verified at every API call — users can only access data belonging to their tenant

• Web Application Firewall (WAF): Active on all public endpoints with managed rule sets
• Rate limiting: Request throttling to prevent abuse and brute-force attacks
• SQL injection protection: WAF rules and parameterised queries prevent injection attacks
• XSS filtering: Content sanitisation and strict Content Security Policy headers
• DDoS protection: Our global CDN and DDoS protection provide edge-level distributed denial-of-service mitigation
• HSTS with preload: HTTP Strict Transport Security enforced across all domains

cecureid is designed and operated to meet or align with the following standards and regulations:

• GDPR compliant: Full compliance with the UK General Data Protection Regulation
• UK Data Protection Act 2018: Processing in accordance with UK data protection law
• PCI-DSS: Payment card security handled by Stripe, a PCI-DSS Level 1 certified processor
• WCAG 2.1 AA: Accessibility standards for inclusive digital services
• Cyber Essentials Plus alignment: Architecture and controls aligned with the UK government Cyber Essentials Plus scheme
• ISO 27001 alignment: Information security management practices aligned with ISO 27001 controls
• UK data residency: All primary data stored in UK-based data centres

• 24/7 monitoring: Our monitoring platform provides continuous monitoring of all services and infrastructure
• Automated alerting: Real-time alerts for anomalies, errors, and security events
• Distributed tracing: Distributed tracing enables end-to-end request visibility for rapid incident diagnosis
• Audit logging: Structured logging of all data mutations, access events, and administrative actions
• Point-in-time recovery: Database and object storage recovery capabilities to restore data to any point in time

Our CI/CD pipeline includes multiple layers of automated security scanning:

• Secrets scanning: Gitleaks prevents accidental commit of credentials and API keys
• Static analysis (SAST): Semgrep scans for security vulnerabilities and code quality issues
• Dependency scanning: OSV-Scanner identifies known vulnerabilities in third-party packages
• Infrastructure-as-Code scanning: Checkov validates Terraform configurations against security best practices
• Code review: All changes require peer review before merging to production

cecureid uses AI capabilities powered by our enterprise AI platform to enhance the booking experience. Our approach to AI is designed with security and privacy at the forefront:

• No model training on your data: Our AI provider does not use your data to train or improve foundation models
• Tenant-scoped context: AI interactions are strictly scoped to the authenticated tenant's data
• Usage metering and limits: AI usage is metered and subject to plan-based limits to prevent abuse
• Clearly labelled responses: All AI-generated content is clearly identified as such

Have security questions, concerns, or need to report a vulnerability? We welcome responsible disclosure and are happy to discuss our security practices in detail.