Trust & Security

How we protect the data you trust us with.

ROPAi is a compliance tool. We treat the controls on our own platform the way we expect you to treat yours — documented, evidenced, reviewable.

● EU-hosted (Ireland) ● Encryption at rest and in transit ● 72-hour breach notification SLA ● ROPAi Ltd · Co. no. 17127400
Last reviewed: 26 April 2026 Need our DPA, sub-processor list, or security one-pager? Email [email protected]

At a glance

The shortest version of our security and trust posture. Each item is explained in detail below.

Data residency
EU — Ireland
Primary data store hosted in Supabase EU-West. Customer data does not leave the EU for primary storage.
Encryption
At rest & in transit
AES-256 at rest. TLS 1.2+ in transit. Database access is authenticated and scoped per tenant.
Access model
Row-level isolation
Postgres Row Level Security enforces organisation boundaries. Roles mapped to organisation membership.
Breach notification
Within 72 hours
We will notify affected controllers within 72 hours of becoming aware of a confirmed personal data breach.
Data retention
Customer-controlled
You own your records. We retain data while your subscription is active and for a defined wind-down window after.
AI model
Claude (Anthropic)
Claude Sonnet for ROPA interviews, Claude Opus for legal drafting. No customer data is used to train models.

Hosting & infrastructure

ROPAi is a single-file web application backed by managed EU infrastructure. We have deliberately chosen a small, audited set of providers.

Primary components

  • Database & authentication: Supabase (Postgres + Auth + Storage), hosted in EU-West (Dublin, Ireland). All customer data is stored here.
  • Application hosting: Netlify, serving the web app and serverless functions used for checkout verification, billing portal generation, and DSAR intake analysis.
  • AI processing: Anthropic Claude API, called server-side. Prompts are transmitted over TLS; we use ephemeral prompt caching and we do not enable any training or data-sharing options on our account.
  • Payments: Stripe Checkout + Billing Portal. Card data never touches ROPAi systems. We store only the minimum Stripe customer and subscription identifiers needed to reconcile your plan.

Provider assurance

We distinguish between the assurances held by our infrastructure providers and the certifications held by ROPAi itself. We do not present a provider's certification as if it were our own.

  • Current position: ROPAi is hosted on enterprise infrastructure providers including Supabase, Netlify, and Stripe. Those providers maintain their own security and compliance programmes, which form part of the control environment we rely on today.
  • What this means in practice: When a buyer asks about hosting assurance, we can point to the certifications and control posture of the platforms that store, authenticate, and serve customer data.
  • What we will not do: We will not describe ROPAi itself as ISO/IEC 27001 certified unless ROPAi Ltd has completed its own certification and external audit.
  • How we describe this externally: ROPAi currently relies on managed infrastructure with established security certifications while we build our own assurance programme and evaluate ISO/IEC 27001 as the business scales.

Sub-processors

Complete list of third parties that may process customer personal data on our behalf. We will notify customers of any material change at least 30 days before it takes effect.

Sub-processorPurposeData locationStatus
Supabase Inc.
Database, auth, storage
 Primary data store for ROPA entries, DSAR cases, DPIA records, audit trail, organisation membership. Ireland (EU) Core
Netlify, Inc.
Web hosting & serverless
 Static site delivery and Netlify Functions for Stripe verification, billing portal, and AI intake routing. EU region (edge) + US origin failover Core
Anthropic, PBC
Claude LLM API
 AI-generated ROPA drafting, DPIA screening suggestions, and DSAR classification. Prompts are server-side only. United States (with SCCs & UK addendum) Core
Stripe Payments Europe Ltd.
Billing & payments
 Subscription billing, checkout, and self-service customer portal. Card details handled by Stripe only. Ireland (EU) Core

Security controls

The controls we have in place today. We will publish our first independent audit on the roadmap below.

  • Encryption: AES-256 at rest across Supabase-managed storage. TLS 1.2+ for all traffic.
  • Tenant isolation: Postgres Row Level Security policies scope every query to the authenticated user's organisation membership. Cross-tenant reads are blocked at the database layer.
  • Authentication: Email magic link and email + password via Supabase Auth. Session JWTs are short-lived and rotated. SSO (SAML / OIDC) available on Enterprise plans — on roadmap.
  • Soft deletes & audit: Records are soft-deleted with a deleted_at timestamp. Changes are written to an activity log for audit reconstruction.
  • Least privilege: A single team member has production database access. Production secrets are stored in Netlify env vars; never in source control.
  • Dependency hygiene: Dependabot enabled on both repositories. We avoid third-party JavaScript on customer-facing surfaces beyond core fonts.
  • Logging: Request and error logs are retained with access restricted to engineering. Logs exclude customer record content.
  • Backups: Supabase point-in-time recovery for the primary database. Full daily snapshots retained for 7 days on our current plan.

AI data handling

AI is useful for privacy teams only if you can defend how it processes your data. This is the posture.

What goes to the model

  • The ROPA interview sends the supplier name, purpose, and user-typed answers to Claude Sonnet to draft Article 30 fields.
  • The DSAR intake analyser sends user-pasted inbound email text to Claude to classify request type, extract requester details, and recommend a template.
  • The DPIA screening uses Claude Opus to suggest risks and mitigations based on the processing activity.

What we guarantee

  • No training on your data. We use Anthropic's API with no data-sharing or training options enabled. Anthropic's API terms confirm customer prompts are not used to train their models.
  • Server-side only. Prompts are sent from our Netlify Functions using our API key — never from the browser. No third-party AI script runs on the user's page.
  • No logging of prompt content beyond what is needed for error diagnosis. Request metadata is retained for up to 30 days.
  • Opt-out available. Customers on Growth and above can disable AI features entirely in Settings. The manual flows remain fully functional without AI.

Breach notification & incident response

The commitment we make to you as a controller.

  • 72-hour notification SLA. If we become aware of a confirmed personal data breach affecting your organisation, we will notify your named privacy contact within 72 hours.
  • What the notice contains. Nature of the breach, categories and approximate number of records affected, measures taken or proposed, and a direct contact for follow-up.
  • Incident log. All incidents — including near-misses that did not reach the notification threshold — are logged internally and reviewed quarterly.
  • Security contact: [email protected] for responsible disclosure, incident reports, and security questionnaires.

Certifications roadmap

We are an early-stage company and we are being explicit about what we hold today versus what is on the way. Provider certifications support our current hosting posture, but no ROPAi certification badge is claimed before it is awarded to ROPAi Ltd itself.

Q1 2027
Cyber Essentials PlusUK NCSC-aligned baseline control set. Implementation work begins early 2027 as part of our security assurance roadmap.
Planned
Q4 2027
ISO/IEC 27001:2022Full ISMS implementation with external audit. Sequenced after Cyber Essentials Plus.
Planned
Q2 2028
SOC 2 Type ITrust Services Criteria: Security, Availability, Confidentiality.
Planned
Q4 2028
SOC 2 Type IIOperating effectiveness over a review period.
Planned

Dates are targets, not commitments. We will publish evidence as each milestone is achieved and update this page in public.

Sector framework alignment

Certifications sit alongside sector-specific frameworks. We are actively mapping ROPAi’s evidence surfaces to the frameworks our customers are accountable to.

NHS / Public sector
DSPT & NCSC CAF alignmentMapping ROPAi’s ROPA, DPIA and DSR evidence to Data Security and Protection Toolkit assertions and Cyber Assessment Framework outcomes. In discovery with NHS / public-sector advisors.
In discovery
Financial services
FCA Consumer Duty & operational resilienceSurface mappings from ROPA entries and DPIAs to Consumer Duty vulnerability assessments and operational resilience evidence.
Planned
EU AI Act
FRIA & Annex III supportFundamental Rights Impact Assessment scaffolding for high-risk AI systems, aligned to the DPIA workflow.
Planned

If you operate under a sector framework we have not listed, email [email protected] and we’ll tell you honestly whether we can map to it today.

Your rights as a data subject

ROPAi is a processor for the customer data you upload to us. For your account data (your name, email, organisation), ROPAi Ltd is the controller. You can exercise your UK GDPR rights by emailing [email protected].

Need our DPA for vendor assessment?

We provide a Data Processing Agreement to every paying customer on request. Click below and we will send you the current template within one business day.

Request DPA →

Controller / company details