trust.
where data lives. who can touch it. how to report a security issue.
/01 where data lives
uk-first by default.
Customer data stays as close to the customer as possible. No cross-border movement without explicit, contracted instruction.
- theDL - ingestion, storage and query infrastructure within UK jurisdiction.
- sortit - runs entirely on the user's macOS device. No audio, no metadata, no telemetry leaves the device.
/02 sub-processors
everyone with access to operational data.
The full list, no omissions.
Cloudflare
edge protection, contact form intake (Workers), bot defence (Turnstile)
global edge
Google Cloud
static hosting (Firebase) for all problem lab family sites
multi-region
Resend
notification email for contact form submissions
us
Google Workspace
inbox for inbound contact email
eu
Plausible Analytics
cookieless web analytics. No personal data collected.
eu
Namecheap
domain registrar and authoritative DNS
us
Changes to this list are notified to customers under active contract before they take effect.
/03 how it's protected
encryption, access, deletion.
- in transit - tls 1.3 on every public endpoint.
- at rest - aes-256 for application data; full-disk encryption on host infrastructure.
- backups - encrypted, uk-region, 30-day rolling retention.
- access - production is single-operator. Credentials are hardware-key protected.
- deletion - data subject deletion requests honoured within 30 days.
/04 security disclosure
found something? tell us.
Security issues, suspected vulnerabilities and incident reports are acknowledged within 24 hours under a responsible-disclosure policy.
security contact
↳ open enquiry
Use the contact widget for vulnerability reports, security questions, or incident notifications.