Security

Security & Data Protection

Concrete technical and organisational controls. Sub-processors named, data residency specified, retention periods defined.

Last updated: 14 April 2026. This page describes our technical and organisational security controls.

Business financial data is among the most sensitive information our customers will ever share with an online service. This page describes, in concrete terms, how we protect it: the controls we apply, the sub-processors we use, and the commitments we hold ourselves to.

Technical controls

  • Encryption in transit: TLS 1.3 on all connections. Weaker protocol versions are refused. HSTS is enforced with a 1-year max-age.
  • Encryption at rest: AES-256 for any stored questionnaire data, reports, and backups.
  • Payment data: handled end-to-end by Stripe. Full card numbers never touch our servers. We retain only the Stripe customer ID and receipt reference.
  • Segregation of analytics: Google Analytics (where enabled) is explicitly excluded from all questionnaire paths (/value-my-business/*) and all report-delivery pages. No third-party analytics sees your financial inputs.
  • No long-lived credentials: our pipeline uses short-lived, scoped API keys rotated quarterly.
  • Dependency scanning: all third-party dependencies are monitored for CVEs. Critical vulnerabilities are patched within 24 hours; high within 7 days.
  • Access control: production infrastructure is accessible only via hardware-key-protected SSH from known IP ranges. No shared credentials.
  • Logging: every report generation is logged with timestamp, customer email (hashed), and report hash. Logs are retained 90 days, encrypted, and immutable (append-only).

Data residency

We process data in the region that best serves the customer, subject to GDPR Chapter V transfer rules.

  • EU, UK, Ireland customers: processed and stored in EU regions where possible. Render pipeline runs in EU-Frankfurt. Resend uses its EU region. Cloudflare EU data locality is applied.
  • US, Canada, Australia, New Zealand customers: processed in US regions for performance. Data residency is determined at submission time from the jurisdiction you have selected (or detected from IP).
  • AI generation via Anthropic Claude: Anthropic’s zero data retention and no-training policies apply to all requests. EU-sourced requests may be routed through Anthropic’s EU data-residency option where available. Data is not used to train models.

For enterprise accountant partners with specific residency requirements, a Data Processing Agreement (DPA) specifying exact data locations is available on request at no cost.

Data retention

  • Questionnaire answers: deleted 30 days after report delivery, unless the customer has opted in to retention for the Annual Refresh Subscription.
  • Generated reports: stored in encrypted form for 90 days from last access, then automatically deleted. Customers retain their own copies via email.
  • Shareable web links: expire 90 days after last access and are then purged.
  • Customer records (name, email, payment reference): retained 7 years per Irish Revenue requirements.
  • Fraud blocklist: retained indefinitely (hashed email and card fingerprint only) to prevent repeat chargebacks.

Accountant white-label customer data is fully segregated per firm. It is never pooled with other firms, never used for cross-firm analytics, and never exposed across tenants.

Sub-processors

The following third parties process data on our behalf. Each is bound by a Data Processing Agreement appropriate to the data they handle. This list is kept current; we notify active customers 30 days in advance of material changes.

  • Anthropic PBC (United States) · AI report generation. Zero data retention, no training on submitted data. Covered by Standard Contractual Clauses.
  • Stripe, Inc. (United States & Ireland) · payment processing. PCI-DSS Level 1.
  • Resend (United States; EU region for EU customers) · transactional email delivery.
  • Netlify, Inc. (United States) · static website hosting. No user data processed.
  • Render Services, Inc. (EU-Frankfurt for EU customers, US regions otherwise) · pipeline compute.
  • Formspree (United States) · form submission handling.
  • Kit (United States) · opt-in newsletter delivery.
  • Cloudflare, Inc. (global) · DNS and CDN. Metadata only.
  • Sentry (United States) · error monitoring. Financial data is not sent to Sentry.
  • UptimeRobot (United States) · external health checks. No customer data processed.

Fraud and chargeback controls

At the $199 to $399 price point, digital products attract a predictable level of chargeback fraud. We defend against this without punishing legitimate customers.

  • Stripe Radar is enabled with custom rules for digital products, auto-blocking high-risk transactions.
  • 3D Secure (SCA) is enforced on all EU and UK transactions (legally required, and fraud-reducing).
  • Billing-address and IP-country correlation is checked, with tolerance for legitimate travel.
  • Disposable email domains and high-risk regions trigger manual review above certain thresholds.
  • Every report delivery is logged with timestamp, IP, email, and file hash for chargeback response evidence.
  • Our 7-day money-back guarantee resolves most disputes before they become chargebacks.

Incident response and breach notification

We commit to notifying affected users of any security incident that compromises their personal data within 72 hours of becoming aware of it, in line with GDPR Article 34. Notifications will include: what data was affected, what we believe happened, what we are doing about it, and what we recommend you do.

We also commit to notifying the Irish Data Protection Commission within 72 hours as required by GDPR Article 33.

To report a security vulnerability or a suspected incident, email security@valuion.com. We take every report seriously and will acknowledge within one business day.

Your rights

  • Right to access: request a copy of the personal data we hold about you, in machine-readable form.
  • Right to deletion: email support and we will delete all your data within 72 hours, excluding records we are legally required to keep.
  • Right to portability: receive your data in a structured, machine-readable format (JSON).
  • Right to rectification: correct any inaccurate personal data.
  • Right to restrict: pause processing while a dispute is resolved.
  • Right to object: object to processing based on legitimate interests.
  • Right to complain: file a complaint with the Irish Data Protection Commission or your local supervisory authority.

Full details in our Privacy Policy.

For accountant partners

Accountants purchasing bulk packs can request a fully-executed Data Processing Agreement at no cost. The DPA specifies exact sub-processor locations, data categories, retention periods, and breach-notification obligations sufficient to include as an appendix to your engagement letters with clients.

Request a DPA at partners@valuion.com.

Professional indemnity insurance

Valuion maintains Professional Indemnity Insurance covering AI-generated advisory outputs. Coverage details are available to enterprise partners on request.

Contact

Related

Related pages

Privacy policy

What we collect, how we use it, your rights.

Terms of service

Legal terms, refund policy, and limitation of liability.

Contact us

Security questions, vulnerability reports, or enquiries.