Skip to main content
DefenceFile
SecurityRequest pilot review

Trust Center

Trust Center for ECCTA evidence workflows.

Concrete information about how DefenceFile is intended to handle sensitive readiness evidence, subprocessors, retention, readiness checks, and legal boundaries. This is product transparency, not a certification claim.

Last reviewed: 2026-06-15

Claims kept inside the evidence.

No SOC 2, ISO 27001, Cyber Essentials, or legal-compliance certification is claimed on this site. These are not yet held; the current certification roadmap and target dates are shared with procurement and security reviewers on request. Customer deployments should complete a signed order form, DPA, support terms, and named subprocessor schedule before production use.

Review hub

Trust answers link to the procurement pack, questionnaire, and source tracker.

These pages are intentionally connected so reviewers can move from product posture to standard security answers and dated public source boundaries without relying on sales copy alone.

Procurement vendor pack

Vendor identity, architecture, security, retention, subprocessors, DPA pointers, support, and pending evidence slots.

Open procurement pack

Security questionnaire

Implementation-backed answers for authentication, evidence protection, RLS, token handling, backups, retention, incident posture, and security.txt.

Open questionnaire

Guidance tracker

Dated ECCTA source register and safe wording notes for public guidance, scope, enforcement, privacy, and prosecution-source boundaries.

Open tracker

Pending proof slots

Missing external evidence stays visible.

Local tests and runbooks are not substitutes for signed customer, deployment, field, or reference evidence. Each slot below names what supplies the proof before a stronger claim can be made.

Pending external proof

Signed DPA schedule

SIGNED_DPA_EVIDENCE_URL and SIGNED_ORDER_FORM_EVIDENCE_URL naming customer terms, subprocessors, regions, retention, deletion, support, and transfer boundaries.

Owner: Commercial/legal owner

Fills via: HT-4

Pending external proof

Customer reference proof

Approved named customer reference evidence or customer UAT bundle before any public customer-proof statement is used.

Owner: Customer/commercial owner

Fills via: HT-5 and HT-8

Pending external proof

Field Core Web Vitals

FIELD_CWV_EVIDENCE_URL, PAGESPEED_INSIGHTS_REPORT_URL, or CRUX_DASHBOARD_URL for the deployed public origin.

Owner: Deployment owner

Fills via: HT-7

Pending external proof

Production health response

APP_BASE_URL or PRODUCTION_BASE_URL plus a dated captured /api/health response for the deployed pilot environment.

Owner: Deployment owner

Fills via: HT-1

Subprocessor register

Named services are tied to configured product behaviour.

The exact provider, region, transfer mechanism, and support contact should appear in the signed customer DPA or order form. Local demo mode can run without these providers.

S3-compatible object storage

Private tenant-scoped source evidence and board-pack artefact storage when evidence or export storage is enabled.

Deployment examples use AWS_REGION=eu-west-2 for S3 signing; the signed customer DPA or order form must name the actual object-storage provider, region, and endpoint.

Required for configured Postgres pilot readiness when evidence uploads are enabled; local demo mode does not use this subprocessor.

PostgreSQL database provider

Tenant records, source metadata, review decisions, attestation state, audit events, token hashes, job queues, and request records.

Provider and hosting region are deployment-specific and should be named in the customer order form or DPA.

Required whenever `DATABASE_URL` is configured.

Resend-compatible transactional email

Operational emails such as pilot-request handoff, public-token workflows, alerts, reminders, and worker-delivered messages.

Default delivery posts to Resend's HTTPS email API; deployments using `RESEND_EMAIL_ENDPOINT` must name that compatible provider in the signed DPA or order form.

Optional in local/demo mode; required for configured email delivery.

Evidence processing and integrity

How evidence is classified, hashed, and sealed.

Two questions decide whether sensitive evidence can be shared: where it is processed, and whether what comes out can be relied on. Both are answered by product behaviour, not marketing.

No third-party AI service

Draft classifications are produced in-tenant by deterministic keyword signal matching. Your evidence is not sent to any third-party AI or large-language-model API. Keyword matching surfaces candidates for review — it is not a completeness guarantee — and every draft stays draft until a named reviewer records a decision.

Source-to-export hash chain

Each source is SHA-256 hashed at upload over the original uploaded bytes (not the redacted/extracted text); the hash is carried into the board-pack source register; and the export hash is computed over the generation timestamp, the board-pack content, and the manifest that contains that register. “Manifest consistent” on the shared adviser view means the artifact re-hashes to the recorded value — the pack has not changed since it was generated.

UK data region (default)

The reference deployment runs in the UK region (AWS London, eu-west-2) with a UK transactional-email sender. The actual hosting region, provider, and any transfer mechanism are fixed in the signed customer DPA or order form before production use.

A SHA-256 confirms a file is unchanged since it was hashed; it does not assert that the uploaded file is authentic. The hash is recorded by the workspace and the generation timestamp is the workspace server clock — integrity evidence against later change, not a countersignature or an independent timestamping authority (an external anchor can be added where an engagement requires one). It proves a pack’s integrity and provenance, not legal adequacy.

Retention schedule

Defaults are visible; signed terms still control production.

Pilot source evidence objects

Agreed pilot term plus 30 days unless earlier deletion, legal hold, or signed terms say otherwise.

Raw source files should live in private object storage; the database stores metadata, hashes, processing state, and redacted text.

Email delivery metadata

90 days by pilot default unless a legal hold or signed support process requires longer.

Message content is limited to operational workflow context; delivery provider retention should be checked in the signed DPA.

Public-token attempt records

30 days by default via `ATTEMPT_CLEANUP_RETENTION_DAYS`, with rate-limit windows configured separately.

Used to protect zero-login attestation and adviser-share links from repeated invalid-token attempts.

Audit events and export metadata

Pilot default follows workspace retention through the pilot term and any agreed legal hold; final deletion or return is customer-specific.

These records support review provenance and board-pack lineage; deletion or return timelines belong in the DPA/order form.

Backups

35 daily backups and 6 monthly backups by pilot runbook default unless contract terms require otherwise.

Backup retention, restore testing, legal hold, and deletion timelines should be reconciled with the customer DPA or order form.

Readiness gates

A configured pilot must pass operational checks before it is called ready.

The health check and smoke commands are part of launch discipline for the product. They do not replace customer legal, procurement, or security review.

HTTPS public origin and same-origin mutation protection

Signing secrets for sessions, attestations, and board-pack share links

Private evidence storage driver, bucket, region, and credentials

Transactional email sender, provider API key, and pilot-request recipient

Worker tenant selectors for alerts, attestations, board packs, documents, and email

Backup and restore target configuration for pilot recovery

External access

Public participant links are bounded before they become trust claims.

DefenceFile uses token-scoped workflows for associated-person attestations and external adviser board-pack review. Local proof covers limiter behavior, safe unavailable states, revocation, and audit visibility; production deployments still need proxy and delivery evidence.

Zero-login links

Attestation and adviser-share links are scoped, expiring, rate-limited, and never stored as raw bearer tokens.

Participant privacy

Token-scoped public pages use noindex and no-referrer guardrails, and unavailable states avoid exposing raw tokens or internal workspace metadata.

Adviser share audit

Adviser page views, markdown downloads, and revocations append tenant audit rows with recipient and board-pack SHA context.

Audit export safety

Tenant audit CSV exports are filtered, labelled, formula-safe, and exclude raw share bearer tokens.

Legal boundary

DefenceFile organises evidence for review. It is not legal advice, a legal opinion, privilege advice, compliance certification, or a guarantee that a statutory defence will succeed.

Terms summary

Data-processing boundary

Customer-specific controller/processor roles, transfer safeguards, subprocessors, retention, deletion, and support terms should be captured in the DPA and order form.

DPA summary

Current public sources

Source baseline 2026-06-15: Home Office failure-to-prevent-fraud guidance v1.5, Joint CPS-SFO Corporate Prosecutions guidance, SFO compliance-programme evaluation guidance, SFO Director anti-corruption conference speech, and ICO UK GDPR/DUAA guidance. The baseline supports cautious wording, not legal advice or certification.

ECCTA guide
Request pilot reviewPrivacy summary