Platform security

Data security

• Encryption in transit — all data transmitted over HTTPS/TLS 1.3
• Encryption at rest — all database data encrypted at rest via Supabase (AES-256)
• EU data residency — all data stored within the European Union
• Row-level security — database access controls ensure users can only access their own data
• Regular backups — automated daily backups with point-in-time recovery

Payment security

• All payments processed by Stripe — PCI DSS Level 1 certified
• BundleIQ does not store, transmit, or process payment card details
• 3D Secure authentication required for all transactions
• Fraud detection and chargeback protection via Stripe Radar

Vendor verification security

• IQ Trust checks connect to official UK government APIs — Companies House, OFSI, Insolvency Service, Gas Safe Register, FSA, TrustMark
• Verification is re-run continuously — not just at onboarding
• Document uploads scanned for malware before storage
• Vendor credentials accessible only to BundleIQ operations team, not shared with buyers beyond the IQ Trust score

Access controls

• Password hashing using bcrypt
• Session tokens with automatic expiry
• Operations tools password-protected and access-logged
• No admin access without multi-factor authentication

Responsible disclosure

If you discover a security vulnerability in the BundleIQ platform, please report it responsibly to security@bundleiq.co.uk. We will acknowledge within 48 hours and work to resolve any confirmed vulnerability promptly.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

Compliance

• UK GDPR and Data Protection Act 2018 compliant
• ICO registered data controller
• HTTPS-only with HSTS headers enforced
• Content Security Policy headers on all pages
• Regular security reviews of third-party dependencies

Contact

Security enquiries: security@bundleiq.co.uk
General: hello@bundleiq.co.uk