Security & Data Protection
Construction compliance records are sensitive. Here’s how we protect them.
UK Data Residency
All project data is stored in UK-based infrastructure. Database hosted on Neon (London region). PDF generation runs in London.
Encryption
Data encrypted in transit (TLS 1.2+) and at rest (AES-256). No unencrypted data leaves our infrastructure.
ICO Registered
Registered with the Information Commissioner’s Office. Registration ZC118367
GDPR Compliant
Full compliance with UK GDPR and Data Protection Act 2018. Data Processing Agreements with all sub-processors.
Authentication & access control
User authentication is managed by Clerk, an enterprise-grade identity platform. Sessions are secured with short-lived tokens. Each user can only access their own organisation’s data — there is no cross-tenant data access.
Infrastructure
- Application hosting — Vercel (serverless compute, automatic scaling, DDoS protection)
- Database — Neon PostgreSQL with connection pooling, automated backups, and point-in-time recovery
- File storage — Vercel Blob for generated PDFs and uploaded documents
- PDF generation — Gotenberg, self-hosted in the London region with no external network access
- Payments — Stripe (PCI DSS Level 1 certified). We never see or store card numbers.
Sub-processors
We share data only with the processors necessary to operate the service. All are bound by Data Processing Agreements.
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel | Hosting & compute | UK/EU regions | EU SCCs, DPA |
| Neon | Database | London | EU SCCs, DPA |
| Clerk | Authentication | EU/US | EU SCCs, DPA |
| Stripe | Payments | EU/US | PCI DSS L1, EU SCCs |
| Vercel Blob | File storage | UK/EU | EU SCCs, DPA |
| Resend | Email delivery | US | EU SCCs, DPA |
| Gotenberg | PDF generation | London (self-hosted) | No external access |
| Google Analytics | Website analytics | EU/US | Consent Mode v2 |
| PostHog | Product analytics | Frankfurt | EU hosting |
Data retention
CDM documents, worker sign-off records, incident logs, and permits are retained for 6 years after project completion, in line with UK construction and employment law. AI processing logs are deleted after 90 days. You can delete your entire account and all associated data at any time from your account settings.
For full retention schedules, see our Privacy Policy.
Breach notification
In the event of a data breach that poses a risk to individuals, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.
Data export — your data, your control
Everything you put into The Site Book is yours. We’ve built four ways to get it out, and you keep access to your records even after cancelling a paid plan.
Full account export (JSON)
One-click GDPR Article 15 / Article 20 export. Downloads a JSON file containing your profile, every project, workers, documents, document versions, worker signatures (with timestamps), images, and integration state. Available from your account settings. Hits GET /api/users/export-data.
Per-document PDF download
Every RAMS, CPP, COSHH assessment, site induction, toolbox talk, permit, and incident record can be downloaded as a branded PDF at any time — no export queue, no waiting.
Google Drive sync
Connect Google Drive from Settings → Integrations and push any project’s full document pack into a “The Site Book / [Project Name]” folder in one click. Fresh PDFs every time, organised by project.
Read-only access after cancellation
If you cancel your subscription, your account stays read-only. You can log in, view projects, and download PDFs for the full 6-year retention window required by UK construction and employment law.
Need a SAR or a copy of the raw database rows for a legal matter? Email [email protected] and we’ll respond within the UK GDPR one-month window.
Account control
- Delete — delete your account and all data instantly from Settings. Hard-deletes projects, documents, signatures, and worker records. Retained only where UK law requires (e.g. signed audit records for 6 years).
- Access requests — contact [email protected] for a formal copy of your data
Regulatory
| Detail | Value |
|---|---|
| Company | REDCLAN VENTURES LTD |
| Company number | 17142372 |
| ICO registration | ZC118367 |
| Jurisdiction | England and Wales |
| Data protection contact | [email protected] |
Questions?
If you have questions about our security practices, or need information for a procurement review, contact [email protected].