Skip to main content
CalionCalion

Security

Last updated: 1 June 2026

Platform

  • Hosted on Vercel (SOC 2 Type II) with EU/UK regions.
  • Postgres on Neon (SOC 2 Type II), encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Application secrets stored in Vercel encrypted environment variables; never committed to source control.
  • Sensitive fields encrypted at the application layer with rotated keys.

Access control

  • Role-based access enforced server-side on every request.
  • MFA required for administrator and privileged roles.
  • Least-privilege access to production data; access reviewed quarterly.

Monitoring

  • Append-only audit log for state-changing actions.
  • Rate limiting and abuse detection on public endpoints.
  • Automated dependency scanning (Dependabot, CodeQL).

Responsible disclosure

We welcome reports from security researchers. Please email security@calion.ie with a description and proof of concept. We aim to acknowledge within 2 business days and will not pursue legal action against researchers acting in good faith and within this policy.

Our machine-readable contact file is at /.well-known/security.txt.

Certifications & documents

  • UK ICO registration: [to be inserted].
  • Cyber Essentials: [in progress].
  • DPA, sub-processor list and trust pack available at /trust.