Security

Corem8is a cloud-hosted software product. Every customer's data is stored in shared infrastructure with strict tenant isolation, encrypted in transit and at rest, and accessed by a small set of named personnel under controlled conditions. We do not sell customer data. We do not use customer data to train models for any third party other than the explicit AI features the customer enables on their own account.

Corem8 runs on a small set of best-of-class providers, each chosen for a specific purpose. We do not run self-hosted infrastructure where managed alternatives offer stronger security posture.

• Vercel for compute, edge routing, image optimisation, DDoS mitigation, and a managed web application firewall. Edge points of presence are global. Vercel is SOC 2 Type 2, ISO 27001, and PCI DSS v4.0 certified.
• Supabase on AWS for the primary Postgres database, object storage for uploaded files and photos, and realtime subscriptions. Supabase is SOC 2 Type 2, ISO 27001, and HIPAA compliant.
• Clerk for user authentication, session management, multi-factor authentication, and organisation membership. Clerk is SOC 2 Type 2 compliant.
• Upstash for rate limiting and short-lived cache. Hosted in the EU.
• Sentry for error tracking and performance monitoring. Hosted in the EU.
• Stripe for subscription billing of the Corem8 service. Card numbers never reach our servers.
• Twilio and Twilio SendGrid for transactional email, SMS, and WhatsApp message routing.

A complete and up-to-date list of every sub-processor we rely on, including the data categories they receive and the legal transfer mechanism in place, is published at /sub-processors.

• In transit: every connection to corem8.com and corem8.io is enforced over TLS 1.2 or higher. HSTS is enabled on all hostnames we control. There is no plaintext HTTP path.
• At rest, customer data: the primary database and object storage encrypt customer data at the storage layer using AES-256 managed by the underlying cloud provider.
• At rest, secrets and integration tokens: API keys, OAuth tokens for connected services such as Xero or Google, and webhook signing secrets are encrypted at the application layer using AES-256-GCM with envelope encryption. The encryption keys are managed by the cloud provider and rotated.
• Payment data:card numbers, expiry dates, and CVCs never reach our servers. They are handled by Stripe Elements directly in the customer's browser. We store only the Stripe customer ID and last-four digits returned by Stripe.

• Customer accounts: sign-in is handled by Clerk. Multi-factor authentication is supported for every account and enforced by default for administrative roles inside a Corem8 workspace.
• Role-based access in the app: users inside a workspace are assigned roles (owner, dispatcher, engineer, bookkeeper, viewer) which determine the actions they can take. Sensitive actions such as billing changes and user removal require an owner role.
• Tenant isolation: every query against the primary database is scoped to the requesting workspace. Defence-in-depth row-level safeguards apply on sensitive tables so that a buggy query path cannot leak across tenants.
• Engineering access: production access is restricted to a small named group of personnel, requires multi-factor authentication, and is logged. Access reviews are conducted periodically and on staff role changes.
• Background checks and confidentiality: personnel with production access are subject to background checks where lawful and bound by written confidentiality obligations.

• Patching: security updates for application dependencies are tracked and applied on a risk-prioritised schedule. Critical-severity advisories trigger out-of-cycle patching.
• Logging and monitoring: application errors and anomalies are captured by Sentry. Access to production systems is logged. Anomalous activity triggers alerts to the on-call engineer.
• Rate limiting and abuse protection: public endpoints are rate-limited by IP and user identifier. Webhook endpoints verify request signatures from the originating provider.
• Input handling: user-supplied input is validated at trust boundaries. Output is escaped according to the context (HTML, attribute, URL, JSON). Generative AI prompts are sanitised before being sent to the model provider.
• Backups and recovery: the primary database is backed up daily with point-in-time recovery available. Recovery procedures are documented and tested.
• Incident response: a documented incident response runbook covers detection, triage, containment, notification, and post-incident review. We commit to notifying affected customers of confirmed personal data breaches without undue delay and in any event within 72 hours, per Article 33 UK GDPR.

Customer data is held in shared infrastructure with logical isolation between tenants. Every record stored in the primary database carries a workspace identifier that is enforced on every read and write path.

The primary database and object storage are currently hosted in the United States by Supabase on AWS. Personal data transfers outside the United Kingdom and European Economic Area are covered by the Standard Contractual Clauses adopted by the European Commission together with the UK International Data Transfer Addendum issued by the Information Commissioner's Office. The transfer mechanism applied to each sub-processor is published at /sub-processors.

EU-only or UK-only data residency is available on request for enterprise customers. Please contact security@corem8.com to scope a residency configuration.

We invite security researchers to report vulnerabilities to security@corem8.com. The canonical machine-readable contact information is published at /.well-known/security.txt per RFC 9116.

What we ask:

• Test only against your own accounts. Do not access or modify another customer's data.
• Do not run automated vulnerability scanners against production without prior written agreement.
• Do not exploit a finding beyond what is needed to demonstrate the issue.
• Do not perform denial-of-service, social engineering, or physical attacks.
• Hold reports in confidence until we confirm a fix is deployed or a coordinated disclosure date is agreed.

What we commit to:

• Acknowledge your report within 2 business days.
• Provide a triage outcome and reproduction status within 5 business days.
• Work in good faith on remediation with regular progress updates.
• Credit reporters publicly with their permission, unless they prefer to remain anonymous.
• Not pursue legal action against researchers acting in good faith and within this policy.

Out-of-scope findings include reports based purely on the output of an automated scanner, social engineering of staff, physical attacks, missing best-practice headers without a demonstrated exploit, and findings on third-party services we do not control. Please direct findings on third-party services (for example, Vercel, Supabase, Clerk, Stripe) to the respective provider.

We do not yet have the formal certifications a large enterprise buyer would expect. Some of those are appropriate for our stage and some are not. The honest picture:

• SOC 2 Type I. Targeted within twelve months of the Corem8 v1.0 commercial launch. We will publish the audit attestation under NDA on request.
• Annual third-party penetration test. Scheduled from first paid customer. The high-level summary will be available to customers under NDA.
• Bug bounty programme. Under consideration after SOC 2 Type I. Until then, the responsible disclosure process in section 7 applies.
• ISO 27001. Not currently scheduled. Customer-driven if a specific buyer requires it.
• EU-only data residency. Available on request today, targeted as a self-serve option in v1.x.

If your procurement process requires evidence we do not yet publish, write to security@corem8.com. We will provide what we can under NDA and tell you plainly what we cannot.

Our authoritative sub-processor list is at /sub-processors. Our Data Processing Agreement, satisfying Article 28 UK GDPR and EU GDPR, is at /dpa and is available for counter-signature on request.

Security reports: security@corem8.com

Privacy questions: privacy@corem8.com

Machine-readable contact: /.well-known/security.txt

Entity: Core M8 Ltd, registered in England & Wales