Slatewick Est. 2026
Home Privacy DPA Sub-processors Terms

Security

Last reviewed: 28 April 2026

Slatewick handles regulatory compliance documentation for care homes, GP surgeries, dental practices, vets, asbestos surveyors, gas engineers, and 30 other regulated sectors. Customer trust depends on us protecting that data. This page describes the technical and organisational measures in place under Article 32 of the UK GDPR.

1. Where data lives

Customer data is stored in the United Kingdom on dedicated, single-tenant database servers operated by Kronaxis Limited. Data is not co-mingled with other tenants in a shared schema; each Customer organisation has logically isolated rows enforced at the application layer, and a separate physical schema is available on the enterprise tier.

Encrypted off-site backups are held in Germany and Finland with end-to-end encryption performed before transfer (rclone-crypt, AES-256). The off-site provider sees only opaque ciphertext.

2. Encryption

  • In transit. TLS 1.2 minimum, TLS 1.3 preferred, between any client and Slatewick. HSTS enforced on the public site. Internal control-plane traffic is restricted to a private WireGuard mesh.
  • At rest. Database storage is encrypted at the volume layer. Backups are encrypted before they leave Slatewick infrastructure.
  • Passwords. Hashed with scrypt, a memory-hard key-derivation function designed to resist GPU-accelerated cracking. Plain-text passwords are never stored or logged.
  • Secrets. Application secrets (API keys, signing keys, database credentials) are held in restricted environment files with file-level permissions. Secrets are rotated on personnel changes and at least annually.

3. Access control

  • Production access is restricted to authorised engineering personnel and gated by SSH key authentication, multi-factor authentication on the gateway, and IP allow-listing.
  • The principle of least privilege applies: customer-facing support staff do not have unrestricted database access; engineers do not have payment-system credentials.
  • Access is logged. Privileged actions are reviewed.
  • Customer-side access is enforced by per-account session tokens, scrypt-hashed passwords, and an optional second factor by SMS or authenticator app.

4. Software security

  • Daily automated security updates are applied to operating systems and core dependencies.
  • Web application traffic is filtered at the edge, with rate limiting on authentication endpoints.
  • SQL queries use parameterised statements throughout. Inputs from end users are escaped at the template layer.
  • Cross-site scripting protections (Content Security Policy, X-Content-Type-Options, X-Frame-Options) are in place on customer-facing pages.
  • Cross-site request forgery protection is applied to state-changing endpoints.

5. Backup and disaster recovery

  • Database backups are taken nightly and retained for 30 days on production storage.
  • Encrypted backups are replicated to off-site storage every night and retained for 90 days.
  • Recovery procedures are documented and tested. Target recovery time for a full-system rebuild is under four hours; target maximum data loss in a worst-case scenario is 24 hours.
  • The infrastructure follows a 3-2-1 backup pattern: production, on-site secondary, encrypted off-site.

6. Personnel

  • All personnel with access to Customer Personal Data are bound by written confidentiality obligations.
  • New starters complete a security and data-protection briefing before being given access.
  • Access is revoked on the day a role ends.

7. Sub-processor governance

Every third party that processes Customer Personal Data is listed at slatewick.co.uk/sub-processors, with the location of processing and transfer mechanism. Each sub-processor is bound by a written contract with data-protection terms no less protective than our DPA with you. Customers receive at least 30 days' notice before any sub-processor change.

8. Incident response

We treat any suspected unauthorised access, loss, alteration, or disclosure of Customer Personal Data as a security incident.

  1. Detect. Anomalies in authentication, query patterns, and infrastructure metrics are monitored continuously.
  2. Contain. Affected systems are isolated within minutes of confirmed incident.
  3. Investigate. A designated incident lead establishes scope, root cause, and affected data subjects.
  4. Notify. Affected Customers are notified without undue delay and in any event within 72 hours of becoming aware of a personal data breach, in accordance with clause 11 of the DPA. Where required, the Information Commissioner's Office is notified.
  5. Remediate and learn. Fixes are applied, similar weaknesses are reviewed, and a post-incident report is prepared.

9. Vulnerability disclosure

We welcome reports from security researchers. Email security@slatewick.co.uk with technical details, including reproduction steps. Please do not exploit, exfiltrate, or publicise vulnerabilities. We will acknowledge receipt within two working days, give a fix timeline within ten working days, and credit you (with your permission) when the fix ships.

Out of scope: testing on Customer-owned data, brute force or credential stuffing, denial-of-service testing, social engineering of staff, and any attack on third-party services we depend on.

10. Certifications and roadmap

We are early-stage and growing into formal third-party assurance. Our current public posture is honest about that.

  • In place UK GDPR Article 28 Data Processing Agreement available to every Customer.
  • In place Sub-processor register with 30-day change notice.
  • In progress Cyber Essentials self-assessment.
  • In progress ISO 27001 readiness review.
  • Planned 2026 Cyber Essentials Plus audit.
  • Planned 2027 ISO 27001 certification (subject to commercial demand).
  • Planned 2027 NHS Data Security and Protection Toolkit submission for healthcare-vertical Customers.

11. Customer security responsibilities

Security is a shared responsibility. We protect the platform; you control how it is used inside your organisation. Specifically:

  • Choose strong, unique passwords and enable two-factor authentication on staff accounts.
  • Revoke staff access promptly when people leave.
  • Avoid sharing accounts. The Service supports individual logins on every paid tier.
  • Train staff to recognise phishing emails purporting to be from Slatewick. We will never ask for your password by email.
  • Report any suspected unauthorised access to your account to security@slatewick.co.uk.

12. Contact

Security operations: security@slatewick.co.uk

Vulnerability disclosure: security@slatewick.co.uk

Procurement and assurance questionnaires: privacy@slatewick.co.uk

Slatewick is a trading name of Kronaxis Limited
Home Privacy Terms DPA Sub-processors Security Cookies Acceptable Use