Your data, under contract.
SQEase processes legal study materials — sometimes drawn from confidential firm sources. Here's how we keep them safe, who else touches them, and how to tell us when something looks off.
How we secure the platform
Concrete controls — not vague reassurance — across data, access, infrastructure, and AI safety.
Data protection
Encryption · Isolation- AES-256 encryption at rest for all databases and document stores, provided by Google Cloud.
- TLS 1.3 in transit for all client and inter-service traffic.
- Per-user data isolation — your records are scoped to your account ID and enforced by database security rules.
- Managed, encrypted storage with Google Cloud's built-in redundancy and durability.
Access & identity
Auth · Least privilege- Sign in with Google or email/password, managed by Firebase Authentication — we never store your password ourselves.
- Single operator — one founder is the only person with production access; no team or contractors touch your data.
- Reviewed changes — every production change goes through a pull request and a documented merge process.
Built on certified infrastructure
Inherited assurance- Hosted on Vercel — independently certified to SOC 2 Type II and ISO/IEC 27001.
- Data, auth, and functions on Google Cloud / Firebase — SOC 2, ISO 27001, and ISO 27017/27018 certified.
- Payments handled by Stripe, a PCI-DSS Level 1 service provider — we never see your card details.
- Standard Data Processing Agreements in place with every infrastructure provider.
AI safety
Provider terms- Your uploads are never used as training data for any AI model.
- No training on your data by default — our AI providers (Google, Anthropic, OpenAI) don't train on API inputs, and request logs are short-lived under each provider's API terms.
- Every question is screened by an automated verification stage before it reaches you, and your materials stay scoped to your account.
Honest transparency
What we are — and aren't- SQEase is run by a single founder. No team, no contractors with data access.
- One operator means a smaller attack surface — but also no 24/7 security team, and we won't pretend otherwise.
- We comply with UK GDPR, the Data Protection Act 2018, and applicable consumer law.
- Breach duty: we will notify the ICO and affected users within 72 hours of becoming aware of a personal-data breach.
Built on certified foundations
We process personal data lawfully under UK data-protection law, with a standard DPA from every sub-processor.
Our hosting and edge network is independently certified.
Our database, auth, functions, and storage run on certified Google Cloud infrastructure.
All card data is handled by Stripe and never touches our servers.
The difference between "certified" and "built on certified."
SQEase is a solo-run product, so we don't claim enterprise certifications we haven't earned ourselves.
What we can stand behind: we comply with UK GDPR and the Data Protection Act 2018, and we're built entirely on independently-certified infrastructure — Vercel, Google Cloud, and Stripe.
As we grow we intend to pursue our own SOC 2 and ISO 27001 — and we won't claim them until we hold the reports.
Who else processes your data
Every third party that touches your data, what they do, and the data-processing agreement we operate under with them.
We notify users of new sub-processors at least 30 days before they begin processing data.
Found a flaw? Tell us first.
We run a public, coordinated vulnerability-disclosure programme. We respond within 2 working days and publicly credit you with permission.
Safe-harbour rules
- Test only against your own account.
- Never read, modify, or exfiltrate data beyond what's needed to demonstrate the issue.
- Never run automated scans exceeding 5 req/s.
- Give us 90 days to fix before public disclosure.
Our thank-you
SQEase is a small startup with no cash bounty programme. What we can offer:
security.txtSubmit a reportOther security contacts
Procurement: finlay@sqease.uk · DPO: privacy@sqease.uk · Vulnerabilities: support@sqease.uk