SECURITY · TRUST
Where your data lives.
No exaggerations. No certifications we don't hold. Every claim below corresponds to a real architectural choice you can ask us to walk through on call.
UK-BASED·GDPR-READY·BUILT ON CLAUDE·NOTHING SENDS WITHOUT YOU
Where your data lives
Cloudflare UK / EU edge primary. All tenant data resides in the UK and EU. We do not store customer data in the US or any non-UK / non-EU jurisdiction. Specific region: UK-London-1 (primary), EU-Frankfurt (DR replica).
- →Primary region: UK
- →DR region: EU (Frankfurt)
- →No US storage of customer data
Encryption
All data is encrypted at rest with per-tenant keys (AES-256). Data in transit uses TLS 1.3 only. No SSL fallback. Per-tenant key separation means a leak in one tenant cannot decrypt data in another.
- →At rest: AES-256, per-tenant keys
- →In transit: TLS 1.3, no SSL fallback
- →Key rotation: 90-day max
Isolation
Row-level security and tenant containers. One customer's data is never visible to another's queries — enforced at the database layer and again at the application layer. We've red-teamed cross-tenant access as part of pre-production testing.
- →DB-level row security (PostgreSQL RLS)
- →App-level tenant guards
- →Audit log if cross-tenant access is even attempted
Audit & retention
Every action — every draft, every approval, every escalation, every integration call — is logged. Logs retained for seven years for compliance. Customers receive a quarterly audit summary on request.
- →7-year audit log retention
- →Tamper-evident chain
- →Customer audit reports on request
Identity & access
Authentication via Clerk (SOC 2 Type II). MFA required for admin accounts. SSO available on Scale and Enterprise tiers. Customer admin can revoke any seat in under 30 seconds.
- →Clerk auth (SOC 2 Type II)
- →MFA required on admin
- →SSO: Scale / Enterprise
Incident response
Published RTO 4 hours, RPO 1 hour. Breach notification within 72 hours per UK GDPR Article 33. status.intelforce.ai is the single source of truth for live incidents.
- →RTO: 4 hours
- →RPO: 1 hour
- →Breach notification: 72 hours
Compliance roadmap
GDPR-ready today. SOC 2 Type II in progress (target: late 2026). ISO 27001 in scope for 2027 once SOC 2 is complete. We do not claim compliance with any standard until the audit is in our hands — happy to share the roadmap and current state on call.
- →GDPR-ready today
- →SOC 2 Type II in progress
- →ISO 27001 scoped for 2027
Sub-processors
Full sub-processor list maintained on our public sub-processors page. Customers notified 30 days before any addition.
- →Anthropic (Claude inference, UK-EU bridge)
- →Cloudflare (UK edge, WAF)
- →AWS (UK region, encrypted backups)
- →Resend (UK, transactional email)
- →Stripe (UK)
DOCUMENTS · ON REQUEST
Pre-signed standard contract for processor relationship.
Live page; 30-day notification on additions.
1-pager for procurement DD.
Email security@intelforce.ai with your procurement-DD requests. Average turnaround: 24 hours.