Security & Compliance

We know the data you're trusting us with is some of the most sensitive there is.

Here's exactly how we protect it.

Hosted in the EU

Your data never leaves the European Union.

Encrypted end-to-end

At rest with AES-256 and in transit with TLS 1.2+.

GDPR-compliant by design

Built around the rights of children and parents.

Where your data lives

All Safeguard data is hosted in the European Union. It never leaves the EU region, and we don't transfer personal data to third countries. Our infrastructure runs on enterprise-grade cloud providers with ISO 27001 and SOC 2 certifications.

How your data is protected

  • Encrypted in transitAll connections use TLS 1.2 or higher.
  • Encrypted at restEvery database, backup, and file is encrypted using AES-256. Sensitive fields — medical notes and emergency contact details — are encrypted individually at the field level, so the underlying data is unreadable without the encryption key even with direct database access.
  • Access controlsGranular role-based permissions mean leaders only see what they need to.
  • Audit logsEvery authenticated action is automatically logged — including who did it, when, and what changed. The actor's identity is captured as a point-in-time snapshot, so audit records remain accurate even if someone later changes their email address.
  • Emergency access auditingAccessing a member's emergency medical information creates a distinct audit record, separate from ordinary record views. Every emergency access is identifiable and reviewable.
  • BackupsAutomated daily backups, encrypted, retained on a defined schedule.

Your data is isolated from every other organisation

Every organisation on Safeguard runs in its own dedicated database schema. Your member data is physically isolated from every other group on the platform — not just access-controlled, but structurally separated at the database level. Even in the event of an application bug, one organisation's data cannot be read by another. This is a meaningful architectural guarantee, not just a policy.

GDPR compliance, in plain English

Safeguard is built around UK GDPR and EU GDPR principles:

  • Lawful basisWe help you record the right basis (consent, legitimate interest, legal obligation) for every record.
  • Data minimisationCollect only what your safeguarding policy requires.
  • Subject rightsParents and young people can request access, correction, or deletion. We give you the tools to respond inside SLA.
  • Children's dataWe treat under-18 records with the higher protections UK GDPR requires.
  • Data Processing AgreementAvailable to every customer, signed before go-live.
  • Breach notificationClear processes to alert you within 72 hours.

Payment Security

How we process payments

Safeguard uses Stripeto process all payments. Stripe is one of the world's largest payment processors, trusted by millions of businesses including many household names. Stripe is certified to the highest level of payment industry security standards (PCI-DSS Service Provider Level 1).

What this means for your card data

When you enter your card details to start or update a subscription, you do so directly into a secure form hosted by Stripe — not by Safeguard. Safeguard never sees, stores, or processes your card number, CVC, or expiry date. Those details travel directly from your browser to Stripe's secure systems and never touch Softfox infrastructure.

What we store is limited to:

  • A token that identifies your subscription with Stripe (used to charge you on schedule)
  • A non-sensitive summary of your payment method (e.g., card brand and last 4 digits) so you can recognise which card is on file
  • Billing-relevant metadata such as plan, billing cycle, and invoice history

We do not store your full card number, CVC, or any other sensitive cardholder data.

Our PCI-DSS position

By using Stripe Checkout and Stripe's hosted Customer Portal, Softfox qualifies as a PCI-DSS Self-Assessment Questionnaire A (SAQ-A) merchant, the lowest scope category. We never receive, transmit, or store cardholder data; that responsibility sits with Stripe. You can review Stripe's compliance and security documentation at stripe.com/security.

How payments are authenticated

Stripe handles authentication of all payment attempts, including 3D Secure / Strong Customer Authentication (SCA) as required by UK and EU regulations. If your bank requires you to confirm a payment, you'll be prompted by Stripe during checkout or at the next renewal — Safeguard does not interrupt your normal use of the service to ask for this.

Who you'll be working with

Our designated data protection contact is available to answer any questions about how we handle your data. If you have a data protection query, reach us at our contact page.

Sub-processors

We maintain a full list of every third-party service that touches your data. View the sub-processors list →

Have a security question?

Talk to our team — we're happy to go deeper on any of this.

Talk to our team