Security & Compliance

Your data. Our responsibility.

FosterCore processes Special Category Data under UK GDPR. We treat security as the foundation of everything we build, not an afterthought.

Data residency

All data is stored and processed exclusively within the United Kingdom. Our primary database runs on Supabase PostgreSQL locked to the eu-west-2 (London) AWS region. Serverless functions execute on Vercel Edge within the lhr1(London) zone. No data leaves the UK/EEA under any circumstances without explicit written consent from the Data Controller.

Encryption

At rest: All data is encrypted using AES-256 encryption at the storage layer. Database backups are encrypted and stored in the same regional boundary.

In transit: All connections use TLS 1.3. API endpoints enforce HTTPS-only with HSTS headers. Internal service-to-service communication uses mTLS where applicable.

Authentication & access control

User authentication is handled by Clerk, a SOC 2 Type II compliant identity platform. We support SSO, multi-factor authentication (MFA), and role-based access control (RBAC) with four scoped permission levels: Admin, Manager, Social Worker, and Read-Only. All authentication events are logged in an immutable audit trail.

Audit trails

Every database transaction — record view, edit, creation, deletion — is logged with the acting user, timestamp, IP address, and SHA-256 hash of the payload. Audit logs are append-only and cannot be modified or deleted by any user, including administrators. This is critical for LADO investigations and Ofsted evidence requirements.

Regulatory alignment

UK GDPRData Protection Act 2018SCCIF 2025 AlignedISO 27001 AlignedCyber Essentials

FosterCore operates in strict alignment with the Data Protection Act 2018 and UK GDPR rules for processing Special Category social care records. We support statutory frameworks across all UK home nations:

  • England: Fostering Services (England) Regulations 2011 (Schedule 3 case files, Regulation 36 Schedule 7 notifications, and NMS 26 75-year record retention rules).
  • Wales: Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, Welsh National Minimum Standards, and CIW inspection audit parameters.
  • Scotland: Looked After Children (Scotland) Regulations 2009 (Regulation 28 mandatory 25-year record retention for terminated carer files) and Care Inspectorate standards.
  • Northern Ireland: Foster Placement Regulations (Northern Ireland) 2025 and RQIA statutory minimum care standards.

Sub-processors

We use a minimal set of vetted sub-processors, all with UK/EEA data handling:

Supabase (PostgreSQL)

Primary database. Locked to eu-west-2 (London). AES-256 encryption at rest. Point-in-time recovery.

Vercel

Application hosting and edge functions. Execution zone: lhr1 (London). SOC 2 Type II certified.

Clerk

Authentication and identity. SOC 2 Type II certified. MFA, SSO, and session management.

Google Gemini (AI)

AI features (board reports, supervision prep, search). Data is not used for model training. UK processing available.

Incident response

In the event of a confirmed personal data breach, we notify the Data Controller within 48 hours — ensuring you have sufficient time to meet the ICO's 72-hour reporting threshold. Our incident response plan includes: immediate containment, forensic analysis, Controller notification, remediation, and a post-incident review shared with the affected agency.

Penetration testing

We conduct annual third-party penetration tests. Results and remediation reports are available to Enterprise customers upon request under NDA. We also run continuous automated vulnerability scanning via Vercel's infrastructure monitoring.

Need our security documentation?

We can provide our full security pack including DPA, DPIA template, sub-processor list, and technical architecture overview. Available for all prospective customers.

Request Security Pack →