Security and trust

• Primary database — Supabase (Postgres) in the EU (Frankfurt region).
• Application hosting — Vercel, global edge with EU data residency preferred.
• File storage — Supabase Storage in the EU.
• Backups — Encrypted, retained 30 days, stored alongside the primary region.

The Sage AI advisor sends specific prompts to Anthropic's Claude API; see our AI Usage Disclosure.

• In transit — TLS 1.2+ on every connection. HSTS enforced.
• At rest — AES-256 on the database and file storage layer.
• Secrets — Stored in encrypted environment variables, never in code.

• Multi-tenancy — Every row in the database is tagged with an organisation ID and protected by Postgres row-level security policies. One customer cannot read or write another customer's data, full stop.
• Authentication — Supabase Auth with bcrypt-hashed passwords, email verification, password reset by signed token. SSO available on Enterprise plans.
• Roles — Five system roles (Admin, PMO, Project Manager, Team Member, Viewer) plus custom roles. Every action is scoped to what the role allows.
• Audit log — All admin actions (user invites, role changes, deletions) are logged and retained for 12 months.

Sageon is currently operated by a single director (Blake Harding) with a small group of named engineers. Production database access is restricted to those individuals, logged, and used only when needed to operate the service or respond to a support request.

We never read your project, HR, finance or RAID data unless you've asked us to for a support reason and granted access in writing.

All payments go through Stripe. Sageon never sees, stores or processes raw card details. Stripe is PCI-DSS Level 1 certified.

• Daily encrypted database snapshots, 30-day retention.
• Point-in-time recovery available within the retention window.
• Stateless application layer — deploys are atomic and reversible.

• Automated dependency scanning via GitHub Dependabot.
• Critical CVEs patched within 7 days; high within 30.
• Pre-commit type checks and tests block known-bad code from reaching production.

Email hello@sageon.co.uk with subject “Security report”. We aim to acknowledge within one business day and to keep you informed as we investigate. Responsible disclosure is appreciated and we will publicly credit researchers (with permission).

Please don't test on real customer data, don't run automated scans against production, and don't exfiltrate or modify data that isn't yours.

Sageon is not currently SOC 2 or ISO 27001 certified. We follow the controls those frameworks describe and intend to pursue formal certification as the business grows. We're happy to complete reasonable security questionnaires for Enterprise customers — email us.

For how individuals can exercise their UK GDPR rights (access, deletion, etc.) see our Privacy Policy.