Security

Last updated: 23 April 2026

Draft v1. This document has been prepared as a working draft and has not yet been reviewed by a qualified solicitor. Items in highlighted monospace {{LIKE_THIS}} are placeholders to be completed before public launch.

Our approach

UltAI-Mate handles financial information that matters to real people. We take security seriously and build it into every layer of the product. This page describes the controls we rely on and where to report a concern.

Nothing on this page is a warranty; our formal security commitments live in the Terms of Service and (for firm customers) the Data Processing Agreement.

1. Hosting and infrastructure

Where your data lives

All application servers, databases, object storage and backups are hosted in Germany, within the European Union, on infrastructure provided by Hetzner Online GmbH. Hetzner’s data centres are ISO 27001-certified.

Network

Inbound traffic is terminated at a reverse proxy behind a managed firewall. Only the web application is publicly reachable; the database, auth service and storage service are on a private network.

2. Encryption

  • In transit: TLS 1.2+ for all traffic between your browser and our servers, and between our services and third-party sub-processors.
  • At rest: Postgres data, object storage volumes and backups are encrypted at rest on the host disk.
  • Passwords: never stored in plain text. Hashed using bcrypt by our auth provider (Supabase GoTrue).

3. Tenant isolation and access control

  • Row-Level Security (RLS): every client-scoped database table carries a firm_id column and an RLS policy enforced by Postgres. A query from one firm cannot read another firm’s rows, even if the application layer has a bug.
  • Role-based access: permissions are divided into platform admin, firm admin, adviser, and client roles. Users only see the data appropriate to their role.
  • Service-role keys are used only by server-side code in trusted contexts (webhooks, cron). They are never exposed to the browser.

4. Authentication

  • Password login with bcrypt hashing and session rotation.
  • Email-based magic links and password reset.
  • HTTP-only, SameSite session cookies.
  • Rate-limited login endpoints to mitigate brute-force.
  • {{MFA_STATUS}} — multi-factor authentication roadmap item.

5. Application security

  • TypeScript strict mode across the codebase to catch whole classes of bug at compile time.
  • Parameterised queries only — no string-interpolated SQL anywhere.
  • AI inputs are sanitised and tag-wrapped before being sent to our model provider, to mitigate prompt-injection abuse.
  • Strict, atomic rate limits on AI endpoints to prevent cost abuse and session hijacking.
  • Dependency updates tracked, security advisories monitored.
  • Code review required on every change. No direct commits to main.

6. AI-specific controls

  • All AI calls are server-side; API keys never leave our infrastructure.
  • Every AI call is logged (user, firm, tokens used, cost) for audit and billing.
  • Our AI provider, Anthropic, is contractually prohibited from training models on your data.
  • Per-firm rate and spend limits to contain runaway usage.

7. Sub-processors

A current list of sub-processors is maintained in our Privacy Policy, section 7. We review each sub-processor for technical and organisational measures, lawful basis for international transfer where relevant, and contract terms before onboarding.

8. Backups and recovery

  • Full database backups taken daily; {{BACKUP_RETENTION}} retention.
  • Backups encrypted at rest and stored in the same EU region as primary data.
  • Restore procedure documented and tested on a routine basis.
  • Target Recovery Point Objective (RPO): {{RPO}}. Target Recovery Time Objective (RTO): {{RTO}}.

9. Logging, monitoring and audit

  • Centralised logs for authentication events, admin actions, AI calls, billing events and webhook deliveries.
  • Error reporting in production with no personally identifying content in error traces.
  • Retention of security-relevant logs: 12 months.

10. Incident response

We maintain a documented incident-response runbook. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours of becoming aware, and notify affected users and firm customers without undue delay.

Firm customers additionally receive the breach-notification commitments in the Data Processing Agreement.

11. Responsible disclosure

If you believe you have found a security vulnerability in UltAI-Mate, please email {{SECURITY_EMAIL}} with details and, if possible, a proof of concept.

  • Please give us a reasonable window to remediate before disclosing publicly.
  • Do not access, modify or delete data belonging to other users.
  • Do not run automated scans that degrade service performance.
  • We will acknowledge your report within 3 working days and update you as we investigate.

12. Certifications and roadmap

UltAI-Mate is an early-stage product and does not currently hold independent security certifications (e.g. ISO 27001, SOC 2). We align our controls with the principles in those frameworks and intend to pursue formal certification as the product matures.

For a current view of certifications and in-flight work, contact {{SECURITY_EMAIL}}.

Security | UltAI-Mate