Sentinel42Last reviewed: 4 July 2026

Security & Trust

This page is maintained by Sentinel42 Ltd to answer common security and privacy questions about the ISMS27001 platform. It describes the controls we operate today. It is not an independent certification.

Who we are

Sentinel42 Ltd is a UK cyber and AI advisory company. We build and operate the ISMS27001 platform.

  • Company number 17286468, registered in England & Wales.
  • ICO registration number C1974552.
  • Registered office: 66 Paul Street, London EC2A 4NA.
  • General contact: info@sentinel42.com. Security and incident reports: security@sentinel42.com.

Access & authentication

  • Email + password authentication, with Google OAuth as an alternative sign-in.
  • Role-based access control. Roles in the product: Admin, Head of Information Security, Head of Department, Auditor, User, Viewer. Permissions are enforced in the database, not just in the UI.
  • Multi-factor authentication gate available on accounts that require it.
  • Idle-session timeout and session-change detection to reduce the risk of unattended or hijacked sessions.
  • No anonymous sign-ups. Account creation is controlled by the customer’s Admin.

Data protection in the app

  • Row-Level Security is enabled on every customer-data table. Users only see rows their role and organisation permit.
  • Role checks are evaluated through a SECURITY DEFINER function so that policy logic cannot be bypassed by a client query.
  • Every security-relevant action is written to an append-only, hash-chained audit log. Administrators and the Head of Information Security can run an integrity check that recomputes the chain to detect tampering.
  • Audit entries are retained for two years.
  • Customer data is logically isolated per organisation. Cross-organisation access is restricted to platform super-admins for support purposes and is itself audited.

Hosting & platform

  • The platform runs on managed cloud infrastructure (managed Postgres, serverless edge runtime) hosted in the EU/UK region.
  • All traffic is served over TLS. Data is encrypted at rest at the platform layer.
  • Application framework: TanStack Start on Cloudflare Workers. Database: Postgres with row-level security.
  • Backups and point-in-time recovery are provided by the managed database platform.

Data processing (DPA)

Where we process personal data on a customer’s behalf, our standard Data Processing Agreement applies as an addendum to the Master Services Agreement. Key terms:

  • Article 28 UK GDPR, controller-to-processor.
  • Governed by the law of England & Wales.
  • Processing only on the customer’s documented instructions.
  • Sub-processor changes notified in advance, with a reasonable opportunity to object on data-protection grounds (clause 6.1).
  • Assistance with data-subject requests, DPIAs, and breach notification (clauses 7–9).
  • Return or secure deletion of personal data on termination, subject to any legal retention obligation (clause 12).
  • Audit right: once per twelve-month period on reasonable notice, or more often following a personal-data breach or at a regulator’s request (clause 11.2).

Sub-processors

The following sub-processors support the platform today. Changes are notified per DPA clause 6.1.

Sub-processorPurposeRegion
Lovable Cloud (managed Supabase)Application hosting, Postgres database, authentication, file storageEU
Lovable AI GatewayIn-product AI assistance (chat, drafting)EU
CloudflareEdge runtime, TLS termination, CDNGlobal (EU edge)
Transactional email providerAuth and notification emailsEU — activated once sentinel42.com sender domain is verified

List current as of 4 July 2026.

Incident response

  • We operate a documented incident-response process covering detection, triage, containment, notification and post-incident review.
  • Personal-data breaches affecting a customer are notified to that customer without undue delay, with the information required under DPA clause 8 and Article 33 UK GDPR.
  • Customers can log incidents directly in the platform’s Incident Register.

Vulnerability reporting

If you believe you have found a security issue affecting the ISMS27001 platform, please email security@sentinel42.com with details and, if possible, steps to reproduce. Please do not publicly disclose the issue before we have had a chance to respond.

We will acknowledge reports within two UK business days and keep you updated through remediation.

Compliance posture

Sentinel42 Ltd is not currently ISO 27001, SOC 2 or Cyber Essentials certified as a service provider. The platform is designed and operated to ISO/IEC 27001 control patterns, and our founder holds ISO 27001 LA/LI, ISO 42001 LA/LI, CISM, CCSK and Cyber Essentials Assessor qualifications, with SC clearance.

Independent certification of Sentinel42 Ltd is on our roadmap. We will update this page when certification status changes.