Trust + security
Everything procurement needs in one page.
Built for the buyer who needs to fill in a vendor security questionnaire today. Each section links to the canonical legal document if you need depth.
Our legal entity
- Trader: Greg Jennings trading as SharePoint Forge
- Address: 3 Derby Road, WN8 8BP
- ICO: PENDING
- Jurisdiction: England and Wales
Contacts
- Privacy / DPA queries: privacy@sharepointforge.co.uk
- Security report: privacy@sharepointforge.co.uk (subject “Security report”)
- General support: support@sharepointforge.co.uk
Key documents
- Privacy Policy — lawful basis, sub-processors, retention, rights
- Data Processing Agreement — Art.28 obligations, Schedule A sub-processors
- Cookie Policy + Microsoft Clarity DPIA available on request
- Terms of Service
- Refund Policy — CCR 2013 + DMCC-aligned mechanics
- Accessibility statement
Security controls
- TLS 1.2+ in transit; encryption at rest (Supabase, backups)
- Microsoft work-account sign-in via Clerk; MFA on staff accounts
- Default-deny RLS on every database table
- Stripe webhook signature verification + idempotency
- Audit log on every authenticated and admin action
- Per-IP / per-user rate limiting on sensitive endpoints
- CSP headers + CSRF origin checks on all state-changing endpoints
- 90-second single-use signed URLs for package downloads
- Admin panel served from an isolated subdomain when configured
Sub-processors (full list)
- Stripe Payments Europe Ltd / Stripe Inc. — billing
- Clerk Inc. — authentication
- Supabase Inc. (EU/Dublin) — database + storage
- Resend (Plus Five Five, Inc.) — transactional email
- Vercel Inc. — hosting + edge delivery
- Microsoft Corporation (Clarity) — marketing analytics only
30-day advance notice via customer portal + email before any change (DPA §5.4). Internal DPA acceptance register at docs/subprocessor-dpas.md.
Incident response
- Personal-data breach notification within 72 hours of becoming aware (we aim for 48)
- ICO notification within 72 hours where required (Art.33)
- Customer notification without undue delay where high risk to data subjects (Art.34)
- Reportable to: privacy@sharepointforge.co.uk
