Security
Last updated: 1 June 2026 · Version 1.0
Calion is built to meet the standards expected by UK and Irish lenders, regulated counterparties, and SMEs. This page summarises the controls we operate. For our full DPA see /legal/dpa; for our sub-processors see /legal/sub-processors.
Platform and infrastructure
- Application hosted on Vercel (SOC 2 Type II, ISO 27001) with primary compute in UK / EU regions.
- PostgreSQL on Neon (SOC 2 Type II) in the EU (eu-central-1), encrypted at rest (AES-256) and in transit (TLS 1.2+).
- All application secrets are stored in Vercel encrypted environment variables and are never committed to source control.
- Sensitive fields (MFA secrets, backup codes, KYC artefacts) are additionally encrypted at the application layer with AES-256-GCM and rotated keys.
- HTTPS-only with HSTS preload, Content-Security-Policy, and modern cipher suites.
Identity and access
- Role-based access control, enforced server-side on every request.
- Two-factor authentication (TOTP) required for administrator and other privileged accounts; backup codes issued at enrolment.
- Admin sessions are subject to a 2-hour idle timeout that requires step-up re-verification.
- Least-privilege access to production data; access is reviewed at least quarterly and on personnel change.
- Email notifications are sent automatically on sensitive events (admin sign-in, MFA enabled, MFA disabled).
Application security
- Input validation, output encoding, parameterised queries via Prisma ORM, and CSP / Trusted-Types-style defaults.
- Rate limiting and abuse detection on authentication and public endpoints.
- Append-only audit log of state-changing actions, retained for 7 years.
- Automated dependency scanning (Dependabot, CodeQL) and timely patching.
- Code review required before merging to the main branch.
Operations and resilience
- Daily encrypted database backups with point-in-time recovery.
- Documented incident-response and business-continuity processes; tabletop exercises run at least annually.
- Personal Data breach notification within 72 hours to affected customers in line with our DPA.
Responsible disclosure
We welcome reports from security researchers. Please email security@calion.ie with a description and a proof of concept. We aim to acknowledge within 2 business days. We will not pursue legal action against researchers acting in good faith and within our policy:
- No social engineering of Calion staff or customers.
- No denial-of-service testing against production.
- No accessing, modifying, or exfiltrating data that is not your own.
- Give us reasonable time to remediate before public disclosure.
Our machine-readable contact is at /.well-known/security.txt.
Certifications and registrations
- UK ICO registration: [to be inserted].
- Cyber Essentials: [in progress].
- ISO 27001 / SOC 2: planned; achieved through key sub-processors today.