Skip to main content
FairLedger
Security & Compliance

An operating posture calibrated to what FCA-regulated firms need from a third-party provider.

FairLedger's customers are regulated. FairLedger's own controls are built to the standard those customers will be asked about in their next third-party assurance cycle.

Certification posture

Where we are and what we are working toward.

Certification
Status
Timeline
Cyber Essentials Plus
On the path — controls in build
Month 6 target
ISO/IEC 27001
Aligned Day 1 — on the certification path
Year 1 Q4 target
SOC 2 Type II
On the roadmap
Year 2 target
UK GDPR / ICO
Controller & Processor registration in progress
Prior to first customer go-live

A downloadable security overview is available on request during the discovery call.

UK data residency

Production data stays in the UK.

All customer data resides in UK cloud regions. No cross-region replication outside the UK for production data. Backup and disaster-recovery topology is UK-only by design.

UK GDPR

Registration in progress; controls operationally embedded.

ICO registration as Data Controller and Data Processor is being completed prior to first customer go-live. Data Protection Impact Assessment maintained. Data Subject Access Request workflow implemented. Sub-processor register maintained and disclosed on request.

Financial services alignment

Built with the recognition that our customers are FCA-regulated.

Third-party assurance, outsourcing and operational-resilience obligations sit on our customers. Our own operating discipline is calibrated to what those obligations require of the providers they work with.

Technology stack

A modern, auditable, UK-hosted platform.

TypeScript/Node back end, PostgreSQL analytics store, configurable rules-and-metrics engine, secure file and API ingestion, automated report generation. Hosted on AWS UK regions with per-tenant data isolation and infrastructure-as-code deployment — the same disciplines applied to secure public-sector systems the founder has delivered in production.

Professional indemnity

Cover in force appropriate to a regulated-firm supplier.

Professional indemnity and cyber liability cover is in force at limits appropriate to a supplier serving FCA-authorised firms. Certificates are provided during procurement due diligence.

Data handling principles

Minimum data. Aggregated where viable. Logged always.

Minimum-necessary ingestion

Only the data the fair-value and products-and-services calculations require.

Aggregation at earliest point

Data is aggregated and anonymised at the earliest point in the pipeline where analytically viable.

Immutable audit logging

Every data touch is logged. Logs are append-only and tenant-scoped.

Encryption at rest and in transit

AES-256 at rest, TLS 1.3 in transit, tenant-scoped keys for multi-tenant isolation.

Discovery call

Need to run a security questionnaire?

Route it through the discovery call — the founder will handle it directly and confirm timelines for supporting artefacts.