Fenchurch Compliance
How it works Pricing Legal Log in Get started

TRUST · SECURITY

Security Overview

How your firm's compliance data is protected — tenant isolation, encryption, UK/EU residency, and our shared-responsibility model.

Last updated: 9 July 2026 ← All legal documents

On this page

Overview Data residency Tenant isolation Authentication Encryption Data model & recoverability AI safety Certified infrastructure & shared responsibility Sub-processors Governance documents Reporting a concern Contact

Overview

Fenchurch Compliance is a self-serve compliance platform for FCA-regulated firms, operated by RegTechPRO Limited. This page summarises, in plain English, how we protect the compliance data you entrust to us — from where it is stored, to how we keep one firm's records separate from another's, to how you can recover from a mistake.

We have written this for the person a prospective customer typically sends it to: an IT or information-security reviewer carrying out due diligence. We have kept it honest and specific. Where a control belongs to the certified infrastructure we build on rather than to Fenchurch itself, we say so plainly.

The platform is built on a small, deliberate stack: Cloudflare for hosting, compute, database and file storage; Stripe for billing; Postmark for transactional email; and Anthropic for the AI that generates your compliance reports. Each of these is a named sub-processor — see Sub-processors for the full list.

Shared responsibility, in one line. Cloudflare secures the certified infrastructure underneath the platform; Fenchurch secures the application that runs on top of it. The controls below describe our application layer and how it uses that infrastructure.

Data residency

Your firm's platform data is stored at rest in Cloudflare's Western Europe (WEUR) region, which sits within the UK and EU. We chose a European region deliberately so that regulated UK firms can keep their compliance records close to home rather than scattered across data centres worldwide.

Where data must leave that region for a specific, limited purpose — for example, sending a one-time login code by email, or submitting your data for AI report generation — that processing is carried out by named sub-processors under appropriate transfer safeguards (Standard Contractual Clauses and the UK International Data Transfer Addendum). Those transfers, and the data involved, are set out in full on the Sub-processors page.

Tenant isolation

Every firm's data lives in its own isolated workspace, which we call a board. Each record is tagged with the identifier of the board it belongs to, and that identifier — not a firm's name or any label you can see — is what the system uses to decide who may read or write it.

Isolation is enforced on the server, not in the browser. When your session asks for data, the request is constrained to the boards your account is permitted to access before any records are returned; a request that omits or forges a board identifier cannot reach another firm's data. Writes are checked the same way: an attempt to save into a board your session does not own is rejected outright. Both checks fail closed — if permission cannot be positively established, access is denied rather than granted.

Authentication

Fenchurch Compliance is passwordless. There is no password to guess, reuse, phish or leak. To sign in, you enter your email address and we send a one-time code; entering that code mints your session.

  • Session tokens. A successful login issues a session token valid for up to 90 days. Only a cryptographic hash of that token is stored on our servers — never the token itself — so our records cannot be used to impersonate you even in the unlikely event they were exposed.
  • Rate limiting. Requests to send a login code, and attempts to verify one, are rate-limited to frustrate brute-force and enumeration attempts.
  • Server-enforced identity. Your identity is validated on the server for every request; the application does not trust a client-supplied claim about who you are.

Encryption

All traffic between your browser and the platform is encrypted in transit using TLS 1.2 or higher. Data stored on the platform is encrypted at rest by default at the infrastructure layer. Card details are never handled or stored by Fenchurch — they are captured directly by our PCI DSS Level 1 payment processor (see Sub-processors).

Data model & recoverability

Compliance records are stored as dated, append-only submissions. When you update a register or a People record, the platform records a new dated version rather than silently overwriting the last one, so an earlier state of your data remains recoverable. This is a deliberate design choice: it means a single mistaken edit — or a bug — cannot quietly destroy your compliance history.

Underneath that, the database supports point-in-time recovery (Cloudflare D1 "Time Travel"), allowing restoration to an earlier state within an approximately 30-day window. Together, the append-only model and point-in-time recovery give you two independent routes back from an error.

AI safety

The AI that produces your compliance reports reads only your firm's own data — the registers, records and forms held in your board. It is instructed to work from that source material and not to invent figures or facts.

AI processing is carried out by Anthropic via its commercial API. Under Anthropic's commercial terms, data submitted through the API is not used to train its models. Your compliance data is used to generate your report and nothing more.

Certified infrastructure & shared responsibility

Fenchurch Compliance runs on Cloudflare, whose infrastructure holds ISO/IEC 27001, SOC 2 Type II and PCI DSS certifications. Payment processing is handled by a PCI DSS Level 1 provider. These certifications belong to the infrastructure and payment providers we build on — they attest to the security of the platform's foundations.

Our shared-responsibility model follows from this. The certified providers secure the infrastructure layer — physical data centres, network, the database and storage engines — which is independently and continuously audited. Fenchurch is responsible for the application layer on top: tenant isolation, authentication, access control and the way your data is handled, as described in the sections above.

An honest word on our own certifications. Fenchurch Compliance does not yet hold a standalone ISO/IEC 27001 or SOC 2 audit of its own application — and we will not imply otherwise. Our assurance today comes from three things: certified infrastructure beneath the platform, the application controls set out on this page, and published governance documents. We actively welcome a customer's security questionnaire and are open to an application-level penetration test. If your review needs either, contact us and we will engage constructively.

Sub-processors

We use a deliberately short list of sub-processors, each for a single, specific purpose: Cloudflare (hosting, compute, database, file storage and CDN/WAF), Stripe (payment and subscription billing), Postmark (transactional email, including login codes), and Anthropic (AI report generation).

The complete, current list — with each provider's purpose, the categories of data processed, and its location and transfer basis — is maintained on our Sub-processors page. You can be notified of changes to that list by emailing support@fenchurchcompliance.co.uk.

Governance documents

Our security controls sit alongside a set of published governance documents. Read together, they set out how we handle personal data as a matter of contract and of law, not just of engineering:

  • Privacy Notice — what personal data we process, why, and your rights under UK GDPR.
  • Data Processing Agreement — the Article 28 terms on which we process your firm's data as a processor, including a security-measures schedule.
  • Sub-processors — the authorised sub-processors that support the service.

Reporting a concern & responsible disclosure

If you believe you have found a security vulnerability, or you have any concern about the security of your data, please tell us at support@fenchurchcompliance.co.uk. We welcome good-faith reports from security researchers and customers alike.

When reporting, please give us enough detail to reproduce the issue and allow us a reasonable period to investigate and remediate before any public disclosure. Please do not access, modify or exfiltrate data that is not your own while testing. We will acknowledge legitimate reports and keep you informed as we work through them.

Contact

For any question about this page, a security questionnaire, or a request for further assurance, contact our team.

Security & data protection enquiries

Fenchurch Compliance — a service of RegTechPRO Limited.

RegTechPRO Limited is registered in England & Wales, company number 10707766.

ICO data-controller registration: ZC177446.

Email: support@fenchurchcompliance.co.uk

Fenchurch Compliance

FCA compliance, without the compliance team. One board, your registers, board-ready AI reports.

Product
How it works Who it's for Pricing FAQ
Legal
Privacy Notice Terms of Use Cookie Policy Data Processing Agreement Sub-processors Security
Fenchurch Compliance is a service of RegTechPRO Limited, a company registered in England & Wales (No. 10707766). © 2026 RegTechPRO Limited. All rights reserved.