Our approach
Your business data — customer contacts, job history, invoices, photos, and everything else — is the lifeblood of your trade. Losing it, leaking it, or having it tampered with isn’t just inconvenient: it damages your reputation and may breach your legal duties. We take that seriously.
🔒
Encryption everywhere
In transit and at rest. No exceptions.
🇬🇧
UK/EU hosting
Your data stays in the UK and EU.
📜
Principle of least privilege
Staff access is role-based and audited.
💾
Automated backups
Daily, encrypted, retained 35 days.
🛡️
Defence in depth
Multiple independent layers, not one big wall.
🔍
Continuous monitoring
Always-on logging and anomaly detection.
Data in transit
Every connection between your device and our servers is encrypted using industry-standard TLS. We enforce HTTPS across every page, API, and service. Our certificates are issued by trusted certificate authorities and auto-rotated. We use modern cipher suites only — legacy protocols are disabled.
Data at rest
Databases are encrypted at the disk level. Backups are encrypted. Passwords are never stored in plain text — we use salted hashing with a modern, industry-accepted algorithm and a high work factor. We can’t see your password, and neither can an attacker who obtains a backup.
Authentication
Access to your account is protected by:
- Strong password requirements (minimum length, disallowed common passwords)
- Rate-limited login attempts with account lockout after repeated failures
- Session tokens that expire automatically
- Optional passkey authentication (Face ID, Touch ID, Windows Hello) — phishing-resistant, no password to steal
- Email alerts for suspicious sign-in activity
Two-factor authentication is available and strongly recommended on paid plans.
Infrastructure
- Hosted in certified UK and EU data centres (ISO 27001 and SOC 2 compliant)
- Protected by Cloudflare DDoS mitigation and a Web Application Firewall
- Network segmentation with strict firewall rules between tiers
- Servers are hardened, patched regularly, and monitored for intrusions
- Production access requires SSH key authentication — no password-based remote login
Application security
Our application is built with secure-by-default patterns:
- All database queries are parameterised to prevent SQL injection
- Output is escaped to prevent cross-site scripting (XSS)
- CSRF protection on all state-changing requests
- Content Security Policy, HSTS, and other standard security headers
- File uploads are validated, scanned, and stored with non-executable permissions
- Third-party dependencies are automatically scanned for known vulnerabilities
- Code changes pass through peer review before production deployment
Access controls
- Staff access to production systems is granted on a need-to-know basis
- All privileged actions are logged and retained
- Admin accounts require multi-factor authentication
- Access is reviewed regularly and revoked immediately on offboarding
Backups & disaster recovery
- Automated encrypted backups run daily
- Backups are retained for 35 days on a rolling basis
- Backups are stored in a geographically separate region from primary data
- We test our restore procedure regularly — a backup that can’t be restored isn’t a backup
Payments
We don’t store full card details. Card payments are processed by Stripe, Direct Debits by GoCardless — both PCI DSS Level 1 certified. We receive only a tokenised reference, the card type, the last four digits, and the expiry date.
Monitoring & incident response
- 24/7 automated monitoring of system health, performance, and anomalies
- Alerting for unusual login patterns, failed access attempts, and data-exfiltration signals
- Documented incident response playbook rehearsed by the team
- In the event of a personal data breach, we will notify the ICO within 72 hours as required by UK GDPR, and notify affected users where required
Third-party sub-processors
We use trusted third-party services to deliver the platform — hosting, CDN, payments, email, SMS, AI features. Each is bound by a data processing agreement. A current list is in our Privacy Policy.
What you can do
Security is a shared responsibility. You can help protect your account by:
- Using a strong, unique password (a password manager is the easiest way)
- Enabling two-factor authentication or a passkey
- Keeping your email account secure — it’s the recovery route for your OnlyTrade login
- Logging out on shared devices
- Reviewing active sessions and recent activity in your account
- Telling us quickly if something looks wrong
Found a security issue?
We welcome responsible disclosure from researchers. If you’ve identified a vulnerability, please email us rather than disclosing publicly. We aim to acknowledge within 24 hours and keep you updated as we investigate.
Contact: security@onlytrade.ai
Please include steps to reproduce and any supporting evidence. We do not currently run a paid bug bounty but are always happy to credit researchers who report in good faith.
What not to do: access other users’ data, degrade service availability, perform destructive testing, or publish unpatched vulnerabilities. Good-faith research within these bounds will not result in legal action.
Compliance alignment
We design our controls around recognised frameworks including:
- UK GDPR and the Data Protection Act 2018
- ISO 27001 information security management principles
- NCSC Cyber Essentials guidance
- OWASP Top 10 application security standards
- PCI DSS (via our payment processors)
We deliberately don’t publish detailed infrastructure maps, specific software versions, or information about internal security tooling. Doing so would help attackers without helping legitimate users. Our enterprise security documentation, which contains more detail, is available to qualified customers under NDA on request.
Questions?
If you’re a prospective customer with specific security or compliance requirements, we’re happy to complete vendor assessment questionnaires. Contact security@onlytrade.ai.