Security & Trust

Your business data and your customers' personal information deserve serious protection. Here is exactly what we do to keep it safe.

🔒 TLS 1.3 encryption🇬🇧 UK ICO registered💳 PCI DSS via Stripe🇪🇺 EU data residency📋 GDPR compliant🔐 2FA on all accounts

How we protect your data

Encryption everywhere

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Your database, file storage, and backups are all encrypted — keys are managed separately from the data they protect.

GDPR compliant

We are registered with the UK Information Commissioner's Office (ICO registration ZB456123). We process personal data only on the lawful bases described in our Privacy Policy, and we never sell customer data.

UK and EU infrastructure

Your data is stored in Supabase's EU-West (Ireland) region. Backups are retained for 30 days. We do not store any customer data on servers outside the UK/EU.

Access controls

Trade2Base staff access to customer data is role-based and logged. Production database access requires two-factor authentication and is restricted to a named list of engineers. We conduct quarterly access reviews.

Audit logging

All significant actions (logins, data exports, permission changes, API access) are logged with timestamps and IP addresses. Logs are retained for 12 months and can be provided to customers on request.

Payment security

We use Stripe for all payment processing. Trade2Base never stores card numbers, CVV codes, or full payment details. Stripe is a PCI DSS Level 1 certified service provider — the highest level of payment security certification.

Responsible disclosure

If you believe you have found a security vulnerability in Trade2Base, please disclose it responsibly. Email security@trade2base.com with a description of the issue, steps to reproduce, and any evidence. We aim to acknowledge all reports within 24 hours and resolve confirmed vulnerabilities within 30 days.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We do not currently operate a bug bounty programme, but we are grateful to every researcher who helps keep our platform secure.

Sub-processors

These are the third-party services Trade2Base uses to deliver the product. Each is bound by a data processing agreement that meets GDPR requirements.

Processor	Purpose	Location
Supabase	Database, file storage, authentication	EU (Ireland)
Stripe	Payment processing	EU / USA
OpenAI	AI features (quote drafting, review responses)	USA
Twilio	WhatsApp and SMS messaging	USA (EU data residency)
Vercel	Application hosting	EU
Meta	Facebook/Instagram lead ads (optional)	EU / USA
Google	Google Ads, LSAs, Maps (optional)	EU / USA

Your data rights

Under UK GDPR, you and your customers have the following rights. To exercise any of these, contact privacy@trade2base.com.

Right to Access

Request a copy of all personal data we hold about you or your customers

Right to Rectification

Correct any inaccurate personal data we hold

Right to Erasure

Request deletion of your account and associated data

Right to Portability

Export your data in CSV format from Settings at any time

Right to Restriction

Restrict processing while a dispute is resolved

Right to Object

Object to processing based on legitimate interests

Data retention

Account data (profile, business details)Duration of subscription + 90 days after cancellation

Customer records (jobs, quotes, invoices)6 years (UK Companies Act requirement for financial records)

Uploaded photos and documentsDuration of subscription + 30 days

Message logs (WhatsApp, SMS, email)2 years

Security and audit logs12 months

Payment records7 years (HMRC VAT record requirement)

Security contacts

Vulnerability reports: security@trade2base.com

Data protection queries: privacy@trade2base.com

General security questions: support@trade2base.com

UK ICO registration: ZB456123 · Data Protection Officer: dpo@trade2base.com