Inspect·Ready

Security

Last updated: 2026-07-02

Security matters to us because InspectReady holds care-home compliance evidence, which can include sensitive information about residents and staff. This page describes what we do, how to report a problem, and what we do — and do not — promise.

What we do

  • UK data residency. Your home's policies, audits, and evidence files are stored in the UK (Supabase, London, eu-west-2).
  • Encryption. All traffic is served over HTTPS (TLS 1.2+, HSTS). Data is encrypted at rest (AES-256) by our hosting infrastructure.
  • Per-home isolation. Row-level security scopes every record to a home within an organisation, so one home's evidence can never be read by another home or organisation. Evidence files live in a private store and are served only through short-lived, server-signed download links after an access check.
  • Upload validation. Every uploaded file is checked for size (25 MB limit) and for agreement between its declared type, filename extension, and content signature (magic bytes) before it is stored — a spoofed file type is rejected. Uploads are type-, size-, and magic-byte-validated; they are not malware-scanned.
  • Authentication. Email-and-password sign-in with a bot challenge (Cloudflare Turnstile) on signup, login, and password reset. Password resets use signed, single-use links.
  • Least privilege. Sensitive account and billing state can only be changed by our server, never from the browser. Administrative access is limited and logged.
  • Immutable audit log. Security- and compliance-relevant events are written to an append-only log that cannot be edited or deleted, so history can be relied on at inspection.
  • Monitoring. Errors are monitored (with personal data stripped) and uptime is checked continuously.
  • Backups. Automated daily backups with point-in-time recovery.

More detail on our technical and organisational measures is in Schedule 2 of our Data Processing Agreement.

Reporting a vulnerability

If you believe you have found a security vulnerability, please tell us before disclosing it publicly. Email security@inspectready.co.uk with:

  • a description of the issue and where you found it;
  • steps to reproduce, if you have them; and
  • any proof-of-concept, screenshots, or logs.

We aim to acknowledge reports within 3 working days. Please give us a reasonable time to investigate and fix an issue before any public disclosure, and do not access, modify, or delete data that is not yours while testing. We will not pursue good-faith researchers who follow this policy.

Our machine-readable contact details are published at /.well-known/security.txt (RFC 9116).

What we do not promise

  • We do not claim to be impenetrable. No online service can guarantee absolute security.
  • We do not run a paid bug-bounty programme at this time; we thank researchers who report responsibly.
  • We are not a substitute for your own information-governance obligations as the controller of resident and staff data.

Contact

Security: security@inspectready.co.uk. General support: support@inspectready.co.uk.