Security & Data Protection
Construction compliance records are sensitive. Here’s how we protect them.
UK Data Residency
All project data is stored in UK-based infrastructure. Database hosted on Neon (London region). PDF generation runs in London.
Encryption
Data encrypted in transit (TLS 1.2+) and at rest (AES-256). No unencrypted data leaves our infrastructure.
ICO Registered
Registered with the Information Commissioner’s Office. Registration ZC118367
GDPR Compliant
Full compliance with UK GDPR and Data Protection Act 2018. Data Processing Agreements with all sub-processors.
Authentication & access control
User authentication is managed by Clerk, an enterprise-grade identity platform. Sessions are secured with short-lived tokens. Each user can only access their own organisation’s data — there is no cross-tenant data access.
Infrastructure
- Application hosting — Vercel (serverless compute, automatic scaling, DDoS protection)
- Database — Neon PostgreSQL with connection pooling, automated backups, and point-in-time recovery
- File storage — Vercel Blob for generated PDFs and uploaded documents
- PDF generation — Gotenberg, self-hosted in the London region with no external network access
- Payments — Stripe (PCI DSS Level 1 certified). We never see or store card numbers.
Sub-processors
We share data only with the processors necessary to operate the service. All are bound by Data Processing Agreements.
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel | Hosting & compute | UK/EU regions | EU SCCs, DPA |
| Neon | Database | London | EU SCCs, DPA |
| Clerk | Authentication | EU/US | EU SCCs, DPA |
| Stripe | Payments | EU/US | PCI DSS L1, EU SCCs |
| Vercel Blob | File storage | UK/EU | EU SCCs, DPA |
| Resend | Email delivery | US | EU SCCs, DPA |
| Gotenberg | PDF generation | London (self-hosted) | No external access |
| Google Analytics | Website analytics | EU/US | Consent Mode v2 |
| PostHog | Product analytics | Frankfurt | EU hosting |
Data retention
CDM documents, worker sign-off records, incident logs, and permits are retained for 6 years after project completion, in line with UK construction and employment law. AI processing logs are deleted after 90 days. You can delete your entire account and all associated data at any time from your account settings.
For full retention schedules, see our Privacy Policy.
Breach notification
In the event of a data breach that poses a risk to individuals, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.
Your data, your control
- Export — download your documents as PDFs at any time
- Delete — delete your account and all data instantly from Settings
- Access requests — contact privacy@thesitebook.co.uk for a copy of your data
Regulatory
| Detail | Value |
|---|---|
| Company | REDCLAN VENTURES LTD |
| Company number | 17142372 |
| ICO registration | ZC118367 |
| Jurisdiction | England and Wales |
| Data protection contact | privacy@thesitebook.co.uk |
Questions?
If you have questions about our security practices, or need information for a procurement review, contact hello@thesitebook.co.uk.