GuardFlow platform logoGuardFlow Home

Security Policy

Last updated: 14 May 2026

GuardFlow is operated by FORGEAI STUDIO LTD (trading as NovaStack). Security is fundamental to a platform handling security-workforce data — SIA licences, right-to-work and DBS records, clock-in locations, patrol evidence and payroll. This page summarises the technical and organisational measures we maintain.

Encryption

  • All traffic is encrypted in transit using TLS 1.2+.
  • Data is encrypted at rest by our infrastructure provider.
  • Uploaded documents and photos are stored in private buckets and served via short-lived signed URLs.

Tenant isolation & access control

  • Every customer's data is isolated using database row-level security (RLS), enforced at the data layer — not just in the application UI.
  • Access within a customer account is role-based (owner, manager, finance, HR, officer), following least-privilege principles.
  • Privileged platform operations are restricted and verified server-side.

Authentication

  • Authentication is handled by a managed identity provider with secure password storage and session management.
  • Password reset and sign-in links are single-use and time-limited.
  • Sensitive secrets and service credentials are held server-side only and never exposed to the browser.

Audit logging

Sensitive actions (administrative changes, billing, data exports, erasure, impersonation) are recorded in a tamper-resistant audit log attributable to the acting user.

Hosting & resilience

Production data is hosted within the UK/EEA by our infrastructure provider, which maintains automated backups and platform-level redundancy. Where a sub-processor is located outside this region, transfers are governed by the UK Addendum / Standard Contractual Clauses. Our sub-processors are listed in our UK GDPR Statement.

Payments

Card payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. GuardFlow does not store full card numbers.

Vulnerability disclosure

If you believe you have found a security vulnerability, please report it responsibly to support@guardflowapp.com. We will acknowledge your report and work with you on remediation. Please do not publicly disclose an issue before we have had a reasonable opportunity to address it.

Incident response

In the event of a personal-data breach we notify affected controllers without undue delay, and within 72 hours where feasible, in line with our UK GDPR Statement and Data Processing Addendum.

Contact

support@guardflowapp.com