Security & Trust Center
Last Updated: 21 April 2026
1. Overview
Standard Tonnage Limited is a UK-registered business-to-business software provider handling operational container tracking data and limited contact information on behalf of our customers. This page sets out in plain English how we protect that information and the frameworks our programme is aligned with.
We are honest about our stage. We are a small, founder-led company and we hold ourselves to a higher bar than our size would suggest. Where we are working towards a formal certification, we say so, with target dates.
2. Data protection
2.1 UK data residency
Customer data, including container records, booking references, contact details, and account data, is stored in our primary Supabase PostgreSQL database hosted in the United Kingdom (London / eu-west-2 region). We do not replicate this data outside the UK except where strictly necessary to deliver a third-party service (see Sub-processors below).
2.2 Encryption
All data is encrypted in transit using TLS 1.2 or higher. All data is encrypted at rest using AES-256 (provided by Supabase and Vercel at the infrastructure layer). Passwords are hashed using bcrypt (via Supabase Auth). We do not store card details; Stripe handles all payment processing as a PCI-DSS Level 1 service provider.
2.3 Backups
Supabase performs automated daily backups with seven-day point-in-time recovery. We target a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 4 hours for the production database. Backups are encrypted at rest and tested quarterly as part of our Disaster Recovery programme.
3. Access controls
- Multi-factor authentication is mandatory on every administrative console used by Standard Tonnage staff: Supabase, Vercel, Stripe, Google Workspace, GitHub, and our domain registrar.
- Least privilege: access to production data is limited to named individuals with a documented business need. Currently that is one person (the founder). As we hire, access reviews will run quarterly.
- Row-level security (RLS) is enforced in Supabase so that a customer can only read or write their own records, even if an application bug would otherwise allow broader access.
- Session controls: customer sessions expire after a defined idle period. Admin sessions are shorter and re-authentication is required for security-sensitive operations.
- Audit logging: authentication events, administrative actions, and API errors are logged and retained for at least 12 months.
4. Application and platform security
- Secure headers: the site and application enforce Content Security Policy, Strict-Transport-Security with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a tight Permissions-Policy. We validate against Mozilla Observatory and securityheaders.com.
- Dependency scanning: Dependabot is enabled with weekly scans.
npm auditruns on every build. - Secret scanning: GitHub Push Protection is enabled to prevent secrets being committed to the repository.
- Branch protection: the
mainbranch requires passing status checks and review before merge. - Penetration testing: annual external penetration test planned for Q3 2026, ahead of the Cyber Essentials Plus assessment.
5. Sub-processors
A current list of our sub-processors, including the category of data processed, their location, and the legal transfer mechanism in place, is published at /sub-processors. We commit to 30 days' advance notice before adding or replacing any sub-processor.
6. Incident response
We maintain a documented Incident Response Plan with defined severities, an Incident Commander role, and communication templates for customers, staff, and regulators. In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, in accordance with UK GDPR Article 33. Where the breach poses a high risk, affected data subjects will be notified without undue delay in accordance with Article 34.
Security issues can be reported in confidence under our Vulnerability Disclosure Policy or directly to security@standardtonnage.com.
7. Business continuity
Our infrastructure runs on Vercel's globally distributed edge network and Supabase's managed database platform. This provides automatic failover at the infrastructure layer. We maintain a Business Continuity Plan and Disaster Recovery Plan covering database restore, application redeployment, and credential rotation. Key-person risk for our founder-led stage is mitigated through a documented operational runbook and access delegation arrangements.
8. Artificial intelligence
The Service uses Anthropic's Claude API to extract structured shipping data from booking confirmation emails that customers choose to forward to us, and to produce human-readable alert text. Anthropic is contracted under its enterprise Data Processing Addendum. Customer data submitted via the API is not used to train Anthropic's models. AI outputs are informational: they inform customer alerts, but customers decide whether and how to act. No decisions with legal or similarly significant effects on natural persons are made solely by automated means (UK GDPR Article 22). A completed Data Protection Impact Assessment for this processing is held internally.
9. Compliance roadmap
We publish our compliance roadmap transparently. Dates represent our target assessment windows and may shift based on customer demand.
| Framework | Status | Target |
|---|---|---|
| UK GDPR / Data Protection Act 2018 | Compliant | Current |
| ICO registration | In progress | Q2 2026 |
| Cyber Essentials | In preparation | Q2 2026 |
| Cyber Essentials Plus | In preparation | Q3 2026 |
| External penetration test | Scheduled | Q3 2026 |
| ISO/IEC 27001:2022 alignment | Policies in place | Certification: 2027 |
| SOC 2 Type II | Evaluation | On customer request |
10. Modern Slavery Statement
Standard Tonnage Limited does not currently meet the £36 million turnover threshold that would oblige us to publish a Modern Slavery Statement under section 54 of the Modern Slavery Act 2015. Nevertheless, we are committed to ensuring there is no modern slavery or human trafficking in our own operations or in our supply chain. We select sub-processors that are themselves subject to the Act or equivalent obligations. We will publish a formal statement at the point the threshold is met.
11. Security questionnaires and contact
We are happy to complete customer security questionnaires and provide additional evidence under NDA. For questionnaires, due-diligence requests, or any security matter, please contact security@standardtonnage.com.
Standard Tonnage Limited, registered in England and Wales.
Questions about this document: info@standardtonnage.co.uk · Security: security@standardtonnage.com