Procurement-ready · DPA in 24h · sub-processors disclosed

Security built in.
Audit on demand.

How SetTern.io protects your data and the data of the people you move. Sixteen audit-ready compliance docs ship with the product, the data inventory is short on purpose, and every architectural choice is explainable in a paragraph.

Last updated · 1 May 2026 Compliance pack · v1.4 · 16 docs Status · all systems normal
See sub-processors
UK GDPR aligned
Articles 5, 6, 13, 15, 17, 25, 28, 30, 32, 33, 35
ICO registered
Live · annual fee paid · ROPA on file
Cyber Essentials
Self-assessment · five-control-family · 2026
DPA on file
24h · counter-signable · Article 28
Section 1

Encryption & transport

The boring controls everyone asks about. Modern defaults, documented configuration, no exotic crypto.

Data at rest
AES-256
  • Vercel KV (Upstash Redis) · AES-256 envelope encryption
  • Audit log JSON snapshots · same store, same encryption
  • Vendor-managed keys · rotated by provider, no plaintext on disk
  • Backups inherit the same envelope; backup retention is 30 days rolling
Data in transit
TLS 1.3 · HSTS
  • TLS 1.3 end-to-end · enforced at the edge
  • HSTS with max-age=31536000 · includeSubDomains · preload
  • Strict CSP with nonce-based script allowlist
  • No mixed content · all sub-resources HTTPS-only
Authentication
Google OAuth 2.0
  • Google OAuth 2.0 for sign-in · we never see your password
  • Read-only Gmail scope · only when you opt in · revocable in Google account
  • Session cookies are HttpOnly, Secure, SameSite=Lax · short-lived
  • SSO (SAML / OIDC) on the v1.2 roadmap for Annual-seat & Programme tiers
Access control
Least privilege
  • Engineering access via short-lived OIDC sessions · no shared secrets
  • Production read requires JIT approval · all access logged
  • Per-tenant data isolation · KV writes namespaced · cross-tenant reads blocked at API
  • 2FA mandatory on all admin tooling · Google Workspace + GitHub
Section 2

Sub-processor register

The four entities that handle your data on our instructions and what they actually do. Updated quarterly. We notify customers in writing 30 days before adding a new sub-processor.

Sub-processor
Purpose
Region
DPA
Google
OAuth · Gmail (read-only)
Sign-in identity. Optional Gmail read-only scope when you opt in to mailbox scanning.
EU + US (multi-region)
View →
OpenAI
Plan generation · drafts · translation
Inference for fast journeys, message drafting, translation. Contractually no model training on our data.
US (with EU residency on enterprise)
View →
Anthropic
Per-step execution · deeper plans
Inference for the deeper agent journey and per-task message drafts when you upgrade. Contractually no model training.
US (EU residency on enterprise)
View →
Vercel
Hosting · KV storage
Application hosting and short-term key/value storage (rate-limit counters, session state, audit snapshots).
Multi-region (LHR · IAD · FRA)
View →
Stripe
Payments
Card-present and card-absent checkout. We never see card numbers; only the token and outcome.
EU + US (per Stripe regional config)
View →

EU-only deployment is on the v2.0 roadmap for Programme-licence customers who need data residency guarantees beyond the multi-region default. Contact security@settern.io for early-access scoping.

Section 3

Data subject rights

One-click export, one-click erasure. Requests handled inside the in-app My Account screen — or by emailing privacy@settern.io. We respond within 30 days (typically same business day).

UK GDPR · Art. 15
Right of access
Download a complete machine-readable copy from My Account → Export. JSON + PDF.
UK GDPR · Art. 16
Right to rectification
Correct addresses, dates, reasons in-app at any time. Re-runs the plan when material.
UK GDPR · Art. 17
Right to erasure
"Delete my data" in My Account. Account record + audit snapshots + consent log destroyed within 24h.
UK GDPR · Art. 20
Right to portability
The Article 15 export is structured (JSON), commonly-used (UTF-8) and machine-readable.
UK GDPR · Art. 21
Right to object
Stop processing at any time by deleting your account or revoking Gmail/Google access.
UK GDPR · Art. 13
Right to be informed
Documented in our Privacy Policy and ConsentGate pre-flow.
Section 4

Retention

We keep what we need for as long as we need it. The defaults below are designed to support you mid-move and for a reasonable audit window after; per-tenant overrides are available for B2B contracts.

Account record
Until deletion
  • Until you delete your account · then immediately purged
  • Email + Google sub + first/last seen counters · nothing more
  • Backups expire on 30-day rolling window
Move plan snapshots
13 months default
  • 13-month rolling retention · default for individuals
  • Per-tenant override up to 7 years on B2B contracts
  • Auto-purged after horizon; deletion is irrecoverable
Security event log
90 days · IP /24 only
  • Sign-ins · consent decisions · deletions only
  • No raw IP · only the truncated /24 prefix
  • 90-day rolling · then auto-purged
Payment records
7 years (HMRC)
  • VAT-compliant invoice retention · 7 years
  • Stripe tokens (no card data) · same window
  • Statutory; cannot be deleted on request
Section 5

Incident response

A written runbook, a single point of contact, and a 72-hour breach-notification commitment that matches our UK GDPR obligations.

Triggering events: unauthorised access to a customer record, sub-processor breach affecting our customer data, sustained service unavailability beyond our published SLA. The on-call engineer pages the incident commander within 15 minutes of confirmation.

Customer notification: if your data is affected, you receive a written notification within 72 hours of confirmation per UK GDPR Art. 33. The notification includes scope, root cause (where known), remediation, and a single-point-of-contact for follow-up questions.

Status page: live at status.settern.io. Subscribe by email or RSS for incident updates. We publish post-mortems for any incident lasting more than 30 minutes.

Section 6

Vulnerability management

Dependencies, exposed surfaces, and how we respond when someone tells us something is wrong.

Dependency scanning: Dependabot + GitHub Advanced Security on every push. Critical vulnerabilities are patched within 24h, high within 7 days, medium within 30 days.

Coordinated disclosure: if you find a vulnerability, please email security@settern.io with steps to reproduce. We acknowledge within 48h, fix critical issues within 7 days, and credit you (with your permission) in our changelog. We don't run a public bug bounty today; we will scope one for v2.0.

Penetration testing: annual third-party pen test on the production environment. The latest report is available under NDA for Programme-licence customers from security@settern.io.