Security Overview
This overview describes the security controls TamRx has implemented and the established cloud platforms we build on. We describe controls accurately and distinguish current capabilities from roadmap items. We do not claim certifications we do not hold.
- Version
- 1.0
- Effective
- 28 June 2026
- Last reviewed
- 28 June 2026
- Owner
- TamRx Ltd — Security & Compliance
1. Secure cloud infrastructure
TamRx is operated entirely on established, managed cloud platforms — Vercel for application hosting and delivery, Supabase for database, authentication and storage, and Google Cloud for underlying infrastructure services. These providers maintain their own recognised security and compliance programmes and physical and environmental controls. We do not operate our own physical infrastructure.
2. Encryption in transit
All traffic between users and the Service is encrypted in transit using industry-standard TLS. Connections to our managed sub-processors are likewise encrypted in transit.
3. Encryption at rest
Personal data and Customer Content held in our managed database and storage are encrypted at rest by the underlying platform. We rely on the at-rest encryption provided and managed by Supabase and Google Cloud for the data they store on our behalf.
4. Authentication
Access to the Service is authenticated through our authentication provider, supporting sign-in via Microsoft, Google and email. User credentials are not stored in plaintext by TamRx. We encourage the use of strong, unique credentials and the multi-factor authentication options offered by your chosen identity provider.
5. Access control and least privilege
Administrative and infrastructure access is restricted to authorised personnel on a need-to-know basis, applying least-privilege principles. Role-based access controls are used within our managed platforms to separate duties and limit access to production data to those who require it.
6. Monitoring and diagnostics
We use error monitoring (Sentry) and product analytics (PostHog and Microsoft Clarity) to detect, diagnose and resolve issues and to understand and improve the Service. Monitoring is configured to support operational reliability and security awareness while minimising the personal data processed for these purposes.
7. Backups and resilience
We rely on the managed backup and durability capabilities of our database and infrastructure providers. The availability and retention of point-in-time recovery depend on the provider plan and configuration; we configure these to support recovery objectives appropriate to the Service. We can provide further detail to customers on request.
8. Secrets and credentials management
Application secrets, including third-party API keys, are held as protected environment configuration within our hosting platform and are never embedded in client-side code or source control. Access to secrets is restricted to authorised personnel and systems.
9. AI data handling
To generate output, assessment inputs are transmitted over encrypted connections to our AI providers (OpenAI and Anthropic) solely to return your result. We contract with these providers on terms that restrict the use of input data for provider model training. We do not use your inputs to train TamRx’s own models. See our AI Transparency Statement and Privacy Policy.
10. Audit logging
Our infrastructure and managed providers record operational and access logs that support security monitoring and incident investigation. Expanding application-level audit logging and configurable retention is an item on our roadmap (see below).
11. Incident response and disclosure
We investigate suspected security incidents promptly and will notify affected users and, where applicable, the ICO in accordance with our legal obligations. We operate a responsible disclosure process and welcome good-faith reports at security@tamrx.co.uk.
12. Roadmap
The following are roadmap items, not current controls, and should not be relied upon as implemented: formal security certification (such as ISO/IEC 27001 or SOC 2); expanded application-level audit logging with configurable retention; configurable data residency; automated detection and minimisation of special category data in inputs; and a formal sub-processor change-notification process.
13. Contact
For security questions or to report a vulnerability, contact security@tamrx.co.uk.
