VigilPath

Legal

Security & Trust

Last updated 1 June 2026

This page is maintained by VigilPath UK Limited to answer common security and privacy questions about the VigilPath platform. It describes controls currently enabled in the product. It is not a certification or independent attestation.

Shared responsibility

  • VigilPath operates the platform, applies platform security controls, and processes personal data only on customer instructions.
  • Customer determines lawful basis, manages users and roles within their tenant, configures retention, and reviews investigator outputs before action.
  • Hosting provider provides physical security, hardened infrastructure and managed database services in the UK region.

Authentication & access

  • Email + password with leaked-password protection (HIBP) enabled.
  • Password strength rubric enforced at signup and reset.
  • Anonymous sign-in disabled platform-wide.
  • Role-based access (Investigator, Reviewer, Admin, Platform Admin).
  • Server-side session validation on every protected route.

Multi-tenant isolation

Every table containing tenant data enforces row-level security policies keyed to the authenticated user's tenant. Users cannot read or write data outside their tenant. Platform administrators have a separately granted role with their own audit trail.

Encryption

  • In transit: TLS 1.2+ for all client and inter-service traffic.
  • At rest: AES-256 managed by the hosting provider.
  • Secrets stored in a managed secret vault, never in source control.

Audit & monitoring

  • Immutable case-event log for every status change, narrative edit and export.
  • Platform-wide administrative audit log visible to platform admins.
  • Server function and edge runtime logs retained for operational review.

Data residency & backups

  • Primary region: United Kingdom.
  • Daily encrypted backups with point-in-time recovery enabled by the hosting provider.
  • No personal data transferred outside the UK / EEA except via UK IDTA-covered sub-processors listed at /sub-processors.

Vulnerability management

Automated dependency scanning runs on every build. Security-relevant findings are triaged and remediated according to severity. Researchers can report issues via our Responsible Disclosure channel.

Incident response

We commit to notify affected customers of a confirmed personal data breach without undue delay and within 48 hours of discovery, with the information required by UK GDPR Article 33.

Compliance posture

VigilPath is designed to support customers regulated under the Money Laundering Regulations 2017, the Proceeds of Crime Act 2002, and FCA SYSC 6.3. Independent certifications (ISO/IEC 27001, SOC 2 Type II) are on our roadmap; we do not claim them today.

Contact

Security questions: security@vigilpath.co.uk
Data protection enquiries: dpo@vigilpath.co.uk