Trust

Security

Last reviewed: 24 May 2026

RTW Checker stores legally-sensitive employment evidence. We treat security as a first-class feature, not a bolt-on. This page describes the controls we have in place and how to report a vulnerability.

Quick facts

UK-hosted. Encrypted in transit and at rest. Per-tenant data isolation. ICO registered (ZB743659). 48-hour breach notification commitment in our DPA.

Where your data lives

Application and database hosted on Fly.io in their UK (London) region
Persistent volumes encrypted at rest with AES-256
No data leaves the United Kingdom in the normal operation of the service

Data in transit

All customer-facing endpoints served over HTTPS with TLS 1.2 or higher
HSTS enforced
HTTP automatically redirected to HTTPS

Access controls

Role-based access at the application layer (user, company-admin, super-admin)
Multi-factor authentication on Fly.io, GitHub, and all third-party infrastructure consoles used by our engineers
Passwords stored as salted bcrypt hashes
Session cookies marked HttpOnly, Secure, SameSite=Lax
Audit logging of administrative actions (user creation, company switch, bulk operations)

Tenant isolation

The service is multi-tenant. Each customer company has its own logically-separated data area enforced at the application layer. Users assigned to one company cannot read or write data belonging to another. Cross-company access is granted only to designated super-admin accounts within the agency model.

Backups and disaster recovery

Daily encrypted snapshots of the database volume
30-day rolling backup retention
Recovery point objective (RPO): 24 hours
Recovery time objective (RTO): 4 hours

Software supply chain

All dependencies pinned and regularly updated
Automated vulnerability scanning via GitHub Dependabot
No long-lived secrets in code; all credentials managed as Fly secrets
CI builds run on every commit

Sub-processors

The full list of sub-processors we rely on is published in our Privacy Policy (section 8) and our DPA (section 5). Each is bound by data protection terms equivalent to those we offer you.

Incident response

Named on-call engineer for production incidents
Customer notification of personal data breaches affecting their tenant within 48 hours of discovery
Post-incident review with root cause and corrective action published to affected customers

Compliance and registrations

ICO registration: ZB743659
UK GDPR and Data Protection Act 2018: compliant; DPA available at /dpa
ISO 27001 certification is on our roadmap; we currently align with its control framework but are not yet certified
Cyber Essentials certification planned for 2026

Responsible disclosure

If you believe you have found a security vulnerability in RTW Checker, please report it to security@instantcheck.co.uk with as much detail as possible. We will:

Acknowledge your report within 2 working days
Investigate and keep you updated on progress
Credit you in our security acknowledgements (with your permission) once the issue is resolved

We do not currently run a paid bug bounty programme but treat valid reports seriously and respond promptly.

Security questionnaires

For procurement and vendor-onboarding security questionnaires (SIG, CAIQ, custom), email security@instantcheck.co.uk and we will return a completed copy within 10 working days.