Trust
How we keep your data safe.
Equaliser handles paid-media performance data — campaign spend, revenue, customer acquisition cost. The kind of numbers that decide whether a brand grows or contracts. So we treat them with the same care your CFO does.
Security →
SOC 2 infrastructure, AES-256 at rest, TLS 1.3 in transit, RLS isolation per org.
Privacy →
GDPR + UK GDPR compliant. Your campaign data is yours — we never sell it, mine it, or train models on it.
Sub-processors →
Every third party that touches your data, the data they see, the region they store it in.
DPA →
Standard data processing agreement, ready to counter-sign. Includes EU SCCs + UK IDTA.
The questions procurement asks first.
Where is data stored?
Primary stores: Supabase (eu-west-2, London), Google Cloud BigQuery (europe-west2). Anthropic API calls route through their EU endpoint. No primary store outside the EU/UK.
Do you train models on customer data?
No. Anthropic API calls are sent with the no-training flag and zero-retention contract. We never fine-tune on customer data. We never embed customer content into a shared model.
How is one customer isolated from another?
Postgres Row-Level Security on every table that holds customer data. Policy keyed on org_id; service-role access is reserved for cron jobs that explicitly scope by org. BigQuery datasets are read-only via authorised views with org filters baked in.
What happens to data on account closure?
On request: hard delete within 30 days, with a confirmation receipt. Backups roll out to expiry within 90 days. We retain only the minimum required for legal/tax purposes (invoice records).
Do you have a security questionnaire boilerplate?
Yes — email security@equaliser.co.uk with your standard questionnaire (Whistic / OneTrust / SIG-Lite). Typical turnaround under 5 working days.
Can we audit you?
Annual SOC 2 attestation reports from our infrastructure providers (Vercel, Supabase, GCP) are available under NDA. We do not currently hold our own SOC 2 — Type I attestation is on the 2026 roadmap.
How do you handle credentials for ad accounts?
OAuth tokens are encrypted at rest in Supabase Vault (libsodium / AES-256). Refresh tokens never leave the server. Read scopes only — write scopes are negotiated per-action and revoked after.
Right address for the right thing.
Security incident
security@equaliser.co.ukPrivacy / data subject
privacy@equaliser.co.ukDPA / procurement
legal@equaliser.co.ukThis page describes Equaliser's posture as of June 2026. Material changes are noted in the changelog.