Skip to content

Security & trust

Security designed for documents that contain real money.

Beaqua processes contracts, invoices, KYC packs, and claims — documents with real financial and PII consequences if mishandled. Here’s how we earn the trust to handle them.

Encryption

TLS 1.3 in transit, AES-256 at rest. Per-tenant keys for Enterprise customers — your documents are encrypted with a key Beaqua staff cannot read.

Data residency

EU (Frankfurt) by default. UK-only residency available on Enterprise. Documents do not leave the region you select; AI inference runs on a regional endpoint.

SOC 2 Type II

In progress, target Q4 2026. Annual independent penetration testing available under NDA on request.

GDPR & UK DPA

Beaqua acts as data processor. Our DPA is signed by every customer at contract. Right-to-erasure handled in under 30 days; documents purged from training data automatically.

Access controls

SSO (SAML / OIDC) and SCIM on Growth and Enterprise. Granular RBAC on the dashboard. Every administrative action is logged and exportable.

Vulnerability disclosure

Email security@m31g.com. Acknowledged within one UK business day; critical issues patched within seven.

Subprocessors

We use a limited set of subprocessors. All process data within the regions stated below.

Subprocessor Purpose Region
AWS Application hosting, document storage EU (Frankfurt) / UK (London) on Enterprise
Cloudflare CDN, DDoS protection Global edge / EU origin
Anthropic AI extraction inference EU (Frankfurt)
Resend Transactional email (notifications, alerts) EU (Dublin)
Sentry Error monitoring (no document content) EU (Frankfurt)
Stripe Billing US (cardholder data subject to PCI scope)

Compliance & certifications

ISO 27001 controls implemented (certification in progress)

SOC 2 Type II audit in progress (target Q4 2026)

Cyber Essentials Plus certified

UK Data Protection Act 2018 compliant

EU GDPR compliant

Documents excluded from model training by default

Customer-controlled retention policies

Per-tenant encryption keys (Enterprise)

Incident response

We commit to notifying affected customers within 72 hours of confirming a security incident that impacts their data, in line with UK GDPR. Our incident playbook is reviewed quarterly.

Suspect a vulnerability? Email security@m31g.com — we acknowledge within one UK business day.

Security documentation

Need our security questionnaire or DPA on file?

Send us a request and we'll turn it around within 48 hours.