00 · Security
Security isn't a feature.
It's the foundation.
Factorly handles personal data for property owners, tenants, and residents. We take that responsibility seriously — here is exactly how we protect it.
TLS 1.2+
All connections
AES-256
Data at rest
PCI DSS
Via Stripe
UK GDPR
Data protection
UK data
AWS eu-west-2
bcrypt
Password hashing
01 · How we protect your data
Six layers of security
Infrastructure
UK-region cloud hosting, isolated per-organisation
- Hosted on Amazon Web Services (AWS) eu-west-2 — UK region
- All data stored and processed within the United Kingdom
- Multi-tenant architecture with strict per-organisation data isolation
- Each organisation operates on its own subdomain with independent data boundaries
- 99.5% monthly uptime target with scheduled maintenance notified in advance
Encryption
TLS 1.2+ in transit, AES-256 at rest
- All data encrypted in transit using TLS 1.2 or higher
- All data encrypted at rest using AES-256
- File storage (S3) uses server-side encryption by default
- Database connections use SSL/TLS — plaintext connections are rejected
- Presigned S3 URLs expire within 1 hour; minimum expiry enforced at 5 minutes
Authentication
bcrypt passwords, JWT sessions, rate-limited logins
- Passwords hashed with bcrypt — plain-text passwords are never stored
- JWT-based sessions expire after 24 hours
- Session tokens stored in httpOnly cookies — inaccessible to JavaScript
- Rate limiting on login: 5 attempts per 15 minutes per IP
- Role-based access control with 6 distinct roles — users see only what they need
- Subdomain isolation: org users cannot access other organisations' data
Payments
Stripe-powered, PCI DSS compliant
- All payment processing handled by Stripe — PCI DSS Level 1 certified
- Card numbers and payment credentials are never transmitted to or stored on Factorly servers
- Stripe webhooks are verified using HMAC-SHA256 signature validation
- Payment events are logged in the audit trail with Stripe payment intent IDs
Application security
Input validation, XSS prevention, CSRF protection
- All API inputs validated with Zod schema validation before processing
- HTML outputs escape user data to prevent XSS injection
- Security headers on all routes: X-Frame-Options DENY, HSTS, X-Content-Type-Options, Referrer-Policy
- LIKE wildcard characters escaped in database search queries
- File uploads validated against MIME type allowlist with filename sanitisation
- CSV exports sanitised to prevent formula injection attacks
- General API rate limiting: 100 requests per minute per IP
Data & GDPR
UK GDPR compliant, right to erasure, audit trail
- Factorly Ltd is the data controller for platform data under UK GDPR
- Data retention: account and property data held for subscription period plus 7 years
- Residents can request a full export of their personal data
- Deletion requests fulfilled within 30 days, subject to legal retention requirements
- No personal data is sold to or shared with third parties for advertising
- AI features send only the minimum data required per request to Anthropic — no bulk exports
- Data processors: Stripe (payments), AWS (hosting), Resend (email), Anthropic (AI), Sentry (errors — anonymised)
02 · Responsible disclosure
Found a vulnerability?
We take security reports seriously. If you believe you've found a security vulnerability in Factorly, please disclose it responsibly by emailing security@factorly.co.uk.
Please include a description of the vulnerability, the steps required to reproduce it, and any evidence or proof-of-concept. We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days.
We ask that you do not publicly disclose the issue until we have had the opportunity to investigate and address it. We do not currently offer a formal bug bounty programme, but we will credit researchers who responsibly disclose valid vulnerabilities.
03 · Get in touch
Security questions before you sign up?
We're happy to answer detailed security questions, share our data processing agreements, or discuss our architecture in a 30-minute call.