Security & trust
Security designed for documents that contain real money.
Beaqua processes contracts, invoices, KYC packs, and claims — documents with real financial and PII consequences if mishandled. Here’s how we earn the trust to handle them.
Encryption
TLS 1.3 in transit, AES-256 at rest. Per-tenant keys for Enterprise customers — your documents are encrypted with a key Beaqua staff cannot read.
Data residency
EU (Frankfurt) by default. UK-only residency available on Enterprise. Documents do not leave the region you select; AI inference runs on a regional endpoint.
SOC 2 Type II
In progress, target Q4 2026. Annual independent penetration testing available under NDA on request.
GDPR & UK DPA
Beaqua acts as data processor. Our DPA is signed by every customer at contract. Right-to-erasure handled in under 30 days; documents purged from training data automatically.
Access controls
SSO (SAML / OIDC) and SCIM on Growth and Enterprise. Granular RBAC on the dashboard. Every administrative action is logged and exportable.
Vulnerability disclosure
Email security@m31g.com. Acknowledged within one UK business day; critical issues patched within seven.
Subprocessors
We use a limited set of subprocessors. All process data within the regions stated below.
| Subprocessor | Purpose | Region |
|---|---|---|
| AWS | Application hosting, document storage | EU (Frankfurt) / UK (London) on Enterprise |
| Cloudflare | CDN, DDoS protection | Global edge / EU origin |
| Anthropic | AI extraction inference | EU (Frankfurt) |
| Resend | Transactional email (notifications, alerts) | EU (Dublin) |
| Sentry | Error monitoring (no document content) | EU (Frankfurt) |
| Stripe | Billing | US (cardholder data subject to PCI scope) |
Compliance & certifications
ISO 27001 controls implemented (certification in progress)
SOC 2 Type II audit in progress (target Q4 2026)
Cyber Essentials Plus certified
UK Data Protection Act 2018 compliant
EU GDPR compliant
Documents excluded from model training by default
Customer-controlled retention policies
Per-tenant encryption keys (Enterprise)
Incident response
We commit to notifying affected customers within 72 hours of confirming a security incident that impacts their data, in line with UK GDPR. Our incident playbook is reviewed quarterly.
Suspect a vulnerability? Email security@m31g.com — we acknowledge within one UK business day.
Security documentation
Need our security questionnaire or DPA on file?
Send us a request and we'll turn it around within 48 hours.