Security & Compliance

Your data. Our responsibility.

FosterCore processes Special Category Data under UK GDPR. We treat security as the foundation of everything we build, not an afterthought.

Data residency

All data is stored and processed exclusively within the United Kingdom. Our primary database runs on Supabase PostgreSQL locked to the eu-west-2 (London) AWS region. Serverless functions execute on Vercel Edge within the lhr1(London) zone. No data leaves the UK/EEA under any circumstances without explicit written consent from the Data Controller.

Encryption

At rest: All data is encrypted using AES-256 encryption at the storage layer. Database backups are encrypted and stored in the same regional boundary.

In transit: All connections use TLS 1.3. API endpoints enforce HTTPS-only with HSTS headers. Internal service-to-service communication uses mTLS where applicable.

Authentication & access control

User authentication is handled by Clerk, a SOC 2 Type II compliant identity platform. We support SSO, multi-factor authentication (MFA), and role-based access control (RBAC) with four scoped permission levels: Admin, Manager, Social Worker, and Read-Only. All authentication events are logged in an immutable audit trail.

Audit trails

Every database transaction โ€” record view, edit, creation, deletion โ€” is logged with the acting user, timestamp, IP address, and SHA-256 hash of the payload. Audit logs are append-only and cannot be modified or deleted by any user, including administrators. This is critical for LADO investigations and Ofsted evidence requirements.

Regulatory alignment

๐Ÿ‡ฌ๐Ÿ‡ง UK GDPR๐Ÿ“‹ Data Protection Act 2018๐Ÿ“Š SCCIF 2025 Aligned๐Ÿ” ISO 27001 Alignedโœ… Cyber Essentials

FosterCore is designed to operate within the Fostering Services (England) Regulations 2011, the Care Standards Act 2000, and the Children Act 1989. Our data retention policies comply with Schedule 3 requirements including the 75-year archival obligation for looked-after children records.

Sub-processors

We use a minimal set of vetted sub-processors, all with UK/EEA data handling:

Supabase (PostgreSQL)

Primary database. Locked to eu-west-2 (London). AES-256 encryption at rest. Point-in-time recovery.

Vercel

Application hosting and edge functions. Execution zone: lhr1 (London). SOC 2 Type II certified.

Clerk

Authentication and identity. SOC 2 Type II certified. MFA, SSO, and session management.

Google Gemini (AI)

AI features (board reports, supervision prep, search). Data is not used for model training. UK processing available.

Incident response

In the event of a confirmed personal data breach, we notify the Data Controller within 48 hours โ€” ensuring you have sufficient time to meet the ICO's 72-hour reporting threshold. Our incident response plan includes: immediate containment, forensic analysis, Controller notification, remediation, and a post-incident review shared with the affected agency.

Penetration testing

We conduct annual third-party penetration tests. Results and remediation reports are available to Enterprise customers upon request under NDA. We also run continuous automated vulnerability scanning via Vercel's infrastructure monitoring.

Need our security documentation?

We can provide our full security pack including DPA, DPIA template, sub-processor list, and technical architecture overview. Available for all prospective customers.

Request Security Pack โ†’