Security
The shape of responsible hosting.
Endorser holds personal data on UK directors, PSCs, and LLP members. We've designed the platform to survive both an ICAEW audit and an AML supervisor's inspection — and to ship evidence either party can verify independently.
- Hosting
- AWS eu-west-2 (London) only. No data leaves the UK.
- Tenancy
- Single Postgres database, FirmId on every row, EF query filters enforced.
- Encryption in transit
- TLS 1.3 only on every public endpoint, HSTS preloaded.
- Encryption at rest
- AWS KMS-managed keys. Column-level encryption for personal data.
- Audit log
- Hash-chained per firm with FOR UPDATE serialisation. Tamper-evident by design.
- Authentication
- ASP.NET Identity, mandatory 2FA on every account, session cookies bound to IP class.
- Backups
- Continuous backup with 14-day point-in-time restore. Restores tested quarterly.
- Sub-processors
- IDV provider (UK), Stripe (UK), AWS UK. Listed in the DPA.
Reporting a vulnerability
If you believe you've found a security issue in Endorser, please email security@endorser.co.uk. We aim to acknowledge within one working day. We do not currently operate a paid bounty programme, but we credit researchers in our public security log.