Security

Thawly stores company names, optional deal metadata you choose to upload (deal value, lost date, lost reason, internal notes), and Companies House numbers. We do not store contact names, email addresses, or phone numbers of third-party individuals at the companies you monitor. The only personal data on our system is the email address of the users on your team — managed by Clerk for authentication.

Application servers run on Vercel. Database is Supabase (Postgres). Auth is Clerk. Email delivery is Resend. We use these providers' EU regions where available. Specific region configuration is reviewed quarterly.

Data is encrypted in transit (TLS 1.2+) on every connection. Data at rest is encrypted by our database provider (AES-256 by Supabase). Backups are encrypted and access-controlled.

Production database access is restricted to a small number of named engineers via SSO. Service-role keys are stored as environment variables, never committed. We use row-level-style isolation (every query is scoped to the current organisation) so users can't access another team's data even in the event of a logic bug.

All signals come from public UK business data — government registries, official notices, and licensed enrichment APIs. We don't scrape LinkedIn or other sites that prohibit automated access. We don't buy contact databases. The signals you see are derived from information that's already public.

If we discover a security incident affecting customer data, we'll notify affected customers within 72 hours of confirmation, with a description of what happened, what data was involved, and what mitigations we've put in place. Report concerns to security@thawly.co.uk.

We operate under UK GDPR. Our Data Processing Addendum is available at /legal/dpa. SOC 2, ISO 27001, and Cyber Essentials are not currently in scope; we'll publish progress here when they are.

We welcome responsible disclosure. Email security@thawly.co.uk with details. We aim to acknowledge within 2 working days and resolve within 30 days for high-severity issues.