Overview
Encrypted everywhere
TLS 1.2+ in transit, AES-256 at rest. No exceptions, no plaintext side-channels.
Hosted in the EU
Google Cloud europe-west2 (London). Backups stay inside the EU.
Least-privilege access
Just-in-time production access, hardware MFA, audited admin actions.
Secure SDLC
Mandatory review, automated checks, weekly dependency updates, annual pentest.
Logged & monitored
Structured logs with PII redaction, real-time alerts, public status page.
Incident-ready
<5min on-call, 72-hour breach notification, blameless post-mortems.
Below: how each of those pillars actually works, in enough detail for a security reviewer to tick boxes. If you need an SOC 2 Type II report, a copy of our penetration-test summary, or a signed Data Processing Addendum, email [email protected].
Infrastructure & hosting
- Primary region: Google Cloud
europe-west2(London). Backups are replicated within the EU. - Provider: Google Cloud Platform — ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS, FedRAMP Moderate, and more.
- Compute: Firebase Functions (Cloud Run) — managed, auto-patched, auto-scaling. No SSH access required or possible.
- Datastore: Firestore (multi-region replication for durability).
- Object storage: Cloud Storage with uniform bucket-level access and private-by-default ACLs.
- CDN & edge: Firebase Hosting in front of all browser traffic, with global edge caches and automatic TLS.
Data protection
In transit
- TLS 1.2 or higher for every external connection. TLS 1.3 preferred.
- HSTS with
preloadand a 2-year max-age. - Strict modern cipher suites; legacy protocols disabled at the edge.
At rest
- AES-256 encryption for all customer data, applied automatically by GCP.
- Stripe handles cardholder data; we never see, store, or transit a primary account number.
- Secrets (API keys, OAuth tokens) are stored in Google Secret Manager and decrypted only at request time within the function runtime.
Backups
- Firestore is backed up daily with 30-day retention. Backups are encrypted at rest and access-restricted.
- Restore drills are run at least quarterly; restore-to-clean-environment time objective is 4 hours.
Access control
For your team
- Sign-in is passwordless: a one-time code sent to your work email, hashed with Argon2id before it ever touches storage.
- SSO (SAML, OIDC) and SCIM provisioning available on the Forest plan.
- Workspace roles (owner, admin, member, viewer) enforce least privilege. Audit log entries are written for every privileged action.
- API keys are scoped, rotateable, and shown to you only once at creation time.
For our team
- Production access is restricted to a small on-call rota; granted just-in-time and audited.
- All staff devices require full-disk encryption, mandatory OS updates, screen-lock under 5 minutes, and EDR.
- Mandatory hardware-backed MFA (FIDO2 / WebAuthn) on every administrative interface.
- Access reviews quarterly; offboarding cuts access within 1 hour.
Application security
- Defence in depth: request authentication, authorisation, input validation (zod schemas server-side), and rate limiting on every external endpoint.
- Secure SDLC: mandatory code review, automated linting, and CI checks before any change reaches production.
- Dependency hygiene: automated weekly dependency updates with vulnerability scanning. Critical CVEs patched within 72 hours.
- Browser headers: strict CSP, X-Content-Type-Options, Referrer-Policy, and Strict-Transport-Security on every response.
- Email auth: we sign every outbound message with DKIM and require SPF + DMARC for your sending domains.
- Penetration testing: independent third-party penetration test at least annually; remediation is tracked to closure.
Operations & monitoring
- Centralised structured logging with PII redaction at the source.
- Real-time error tracking with alerts to the on-call engineer.
- Synthetic uptime checks every 60 seconds from multiple regions.
- Service-level health is published live on our status page.
- We aim for 99.9% monthly uptime on the production API and web app. Service credits are available on request when we miss it.
Incident response
- On-call engineer is paged within 5 minutes of a production-impacting alert.
- We follow a documented incident response playbook with assigned roles (incident commander, comms lead, scribe).
- We will notify affected customers within 72 hours of confirming a data breach that's likely to result in a risk to your rights and freedoms (UK GDPR Art. 33). Where you're the controller for the affected data, you remain responsible for any notifications to your end-users.
- A blameless post-mortem is published internally for every Sev-1 / Sev-2 incident within two weeks. Customer-facing summaries are posted on the status page.
People & process
- Background checks for everyone with access to production.
- Annual security and privacy training for all staff, with role-specific deep dives for engineers.
- Confidentiality clauses in every employment and contractor agreement.
- Documented onboarding/offboarding checklist; access changes are auditable.
Business continuity
- RPO (Recovery Point Objective): 24 hours.
- RTO (Recovery Time Objective): 4 hours for the production API.
- Tabletop disaster-recovery exercises at least once a year, including loss of primary region.
- Critical sub-processors (see list) are evaluated annually for their own continuity posture.
Compliance posture
We're a young company. Where we don't yet hold a certification, we run our controls to the relevant framework anyway. Current state:
- UK GDPR & EU GDPR: Data Processing Addendum available; Standard Contractual Clauses + UK IDTA in place with all relevant sub-processors.
- SOC 2 Type II: in progress for FY26. Controls implemented; audit window underway.
- ISO 27001: roadmap item for FY27.
- HIPAA / PCI DSS: we are not a covered entity and we don't process cardholder data ourselves. Don't use GenieOS to email Protected Health Information.
Vulnerability disclosure
We welcome reports from the security community. If you believe you've found a vulnerability:
- Email [email protected] with a clear description, reproduction steps, and the impact you've observed.
- Encrypt sensitive details with our PGP key (fingerprint published on request).
- Give us a reasonable window to investigate and fix before public disclosure (typically 90 days).
- Don't access, modify, or download data that doesn't belong to you. Don't run automated scanners against production without written permission.
We don't currently run a paid bug-bounty programme but we will publicly credit researchers who follow this policy, and we'll always be in touch within two business days.
Reporting a security issue
Security & vulnerability reports: [email protected]
Privacy & data subject requests: [email protected]
Abuse, spam, phishing reports: [email protected]