Security & Compliance
-
SOC 2 Type II Certified
● Independent audit of security controls
● Covers security, availability, confidentiality
● Annual re-certification
● Report available to Enterprise customers under NDA -
GDPR Compliant
● Data processing agreements available
● Right to access, rectify, delete data
● Data minimization principles ● UK/EU data residency
● Breach notification procedures
● Regular compliance audits
-
ISO 27001 Aligned
● Information security management system
● Aligned with ISO 27001 standards
● Formal certification in progress (Q3 2025) -
Making Tax Digital (MTD) Ready
● Full audit trails for HMRC requirements
● Digital record keeping standards
● VAT calculation and reporting
● Timestamped, immutable logs -
UK Data Protection Act 2018
● Compliant with UK-specific requirements
● ICO registered
● UK-based data processing
-
Encryption
● In transit: TLS 1.3 (highest standard for data transmission)
● At rest: AES-256 encryption (same standard used by banks)
● Backups: Encrypted and geographically distributed -
Infrastructure
● Hosted on AWS (UK and EU regions only)
● 99.9% uptime SLA
● Automatic failover and redundancy
● DDoS protection
● Regular penetration testing by third-party security firms
-
Access Controls
● Role-based permissions (view/approve/edit/admin)
● Document-level access restrictions
● Two-factor authentication (2FA) available
● Single Sign-On (SSO) for Enterprise customers
● Automatic session timeout after 30 minutes inactivity
● IP address logging for all actions -
Application Security
● Regular security audits and vulnerability scanning
● OWASP Top 10 compliance
● Secure software development lifecycle
● Bug bounty programme for responsible disclosure
● Security incident response plan
-
What We Collect:
● Invoice data (vendor names, amounts, dates)
● User information (names, emails, roles)
● Usage data (which features used, when)
● Audit logs (actions taken, timestamps) -
What We Don't Collect:
● Banking details or payment card information
● Personal financial information
● Social security or national insurance numbers
● Personal employee data beyond work email/role -
How We Use Your Data:
● Provide the Team Pod service you're paying for
● Improve our AI and OCR accuracy
● Send service notifications and support responses
● Aggregate analytics (anonymized, not client-specific) -
How We Don't Use Your Data:
● Never sell or share with third parties
● No advertising or marketing data use
● No AI training on your specific data (only aggregate patterns)
● No cross-customer data sharing -
Your Rights:
● Access your data anytime
● Export all data in standard formats
● Delete your data (90 days after cancellation, or on request)
● Restrict processing
● Data portability
Data Residency & Sovereignty
Where Your Data Lives:
● Primary: UK data centres (London region)
● Backup: EU data centres (Ireland/Frankfurt regions)
● Never stored outside UK/EU Why This Matters:
● UK/EU data protection laws apply
● No US CLOUD Act concerns
● GDPR and UK DPA 2018 compliant
● Data subject to UK/EU jurisdiction only
● Primary: UK data centres (London region)
● Backup: EU data centres (Ireland/Frankfurt regions)
● Never stored outside UK/EU Why This Matters:
● UK/EU data protection laws apply
● No US CLOUD Act concerns
● GDPR and UK DPA 2018 compliant
● Data subject to UK/EU jurisdiction only
Vendor Security
Our Vendors:
● AWS (infrastructure hosting)
● Anthropic (AI/OCR processing)
● SendGrid (email notifications)
● Stripe (payment processing - Enterprise only)
All vendors:
● SOC 2 certified or equivalent
● GDPR compliant
● Data processing agreements in place
● Regular security assessments
● AWS (infrastructure hosting)
● Anthropic (AI/OCR processing)
● SendGrid (email notifications)
● Stripe (payment processing - Enterprise only)
All vendors:
● SOC 2 certified or equivalent
● GDPR compliant
● Data processing agreements in place
● Regular security assessments
Incident Response
If a security incident occurs:
1. Immediate containment and investigation
2. Notification within 24 hours (or as legally required)
3. Full transparency about what happened
4. Clear communication about impact and remediation
5. Post-incident review and improvements
Contact for security concerns:
security@teampod.co.uk
PGP key available on request
1. Immediate containment and investigation
2. Notification within 24 hours (or as legally required)
3. Full transparency about what happened
4. Clear communication about impact and remediation
5. Post-incident review and improvements
Contact for security concerns:
security@teampod.co.uk
PGP key available on request
Regular Security Practices
What We Do Continuously:
● Weekly security patches and updates
● Monthly vulnerability scans
● Quarterly penetration testing
● Annual third-party security audits
● Regular staff security training
● Incident response drills
● Backup testing and validation
● Weekly security patches and updates
● Monthly vulnerability scans
● Quarterly penetration testing
● Annual third-party security audits
● Regular staff security training
● Incident response drills
● Backup testing and validation
We never access your banking details or payment information. Your data stays in UK/EU data centres.
security@teampod.co.uk
