← HemeraScope

Draft — not yet legally reviewed. This document is a working draft prepared for internal use. It has not yet been reviewed by a qualified UK solicitor and must not be relied on as a legally binding statement.

Security & Trust

Hemera Intelligence Ltd · Last updated: [pending — effective date] · Version 1.0

1. Data hosting

HemeraScope application data is stored in a managed PostgreSQL database hosted by Render, Inc. in their Oregon (US) data centre. We acknowledge that US hosting introduces international transfer considerations under UK GDPR; appropriate safeguards are detailed in our Privacy Policy (Section 5 — International transfers).

Our frontend is hosted on Vercel, Inc., which operates a global CDN with EU data residency options available. Static assets and page requests are served from edge locations closest to the user.

2. Encryption

  • In transit: All connections to HemeraScope are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
  • At rest: Database storage is encrypted using AES-256, which is the standard for managed PostgreSQL providers. Backups are also encrypted at rest.

3. Authentication

User authentication is managed by Clerk, Inc. (SOC 2 Type II certified). Clerk provides:

  • Multi-factor authentication (MFA) support
  • Secure session token management
  • Brute-force and credential-stuffing protections
  • Role-based access control (RBAC) integration

4. Access control

HemeraScope enforces role-based access control with the following principles:

  • Roles: Admin and Client, with permissions scoped to the minimum required for each role
  • Principle of least privilege: Team members and systems are granted only the access necessary for their function
  • Client data isolation:Each client's data is logically separated; clients cannot access another organisation's data

5. Data retention

  • Client data: Retained for the duration of the engagement plus 12 months, after which it is deleted or returned in accordance with our contractual commitments
  • Anonymised supplier data: Irreversibly anonymised and aggregated statistical data is retained indefinitely for benchmarking and methodology improvement, as described in our Privacy Policy (Section 11)
  • Security logs: Retained for 12 months

6. Incident response

In the event of a personal data breach, we will notify affected clients within 72 hours of confirming the breach, in line with UK GDPR Article 33. Our incident response process includes:

  • Immediate containment and assessment of the breach
  • Notification to the ICO where required (within 72 hours)
  • Notification to affected clients with details of the breach, its likely impact, and remediation steps
  • Post-incident review and implementation of preventive measures

7. Certifications and registrations

  • Cyber Essentials:We are pursuing Cyber Essentials certification (expected [pending — date])
  • ICO registration:Hemera Intelligence Ltd is registered with the Information Commissioner's Office. Registration number: [pending — ICO number]

8. Sub-processors

A full list of our sub-processors, including the data they process and their hosting locations, is available on our Sub-processor List. We notify clients of changes to this list at least 30 days in advance.

9. Responsible disclosure

If you discover a security vulnerability in HemeraScope, please report it responsibly to security@[pending — domain]. We ask that you:

  • Do not access or modify other users' data
  • Do not publicly disclose the vulnerability before we have addressed it
  • Provide sufficient detail for us to reproduce and fix the issue

We will acknowledge your report within 3 working days and aim to resolve confirmed vulnerabilities promptly.

10. Contact

For security-related enquiries, contact us at security@[pending — domain].