Skip to main content
SharePoint Forge
SharePoint Forge

Trust + security

Everything procurement needs in one page.

Built for the buyer who needs to fill in a vendor security questionnaire today. Each section links to the canonical legal document if you need depth.

Our legal entity

  • Trader: Greg Jennings trading as SharePoint Forge
  • Address: 3 Derby Road, WN8 8BP
  • ICO: PENDING
  • Jurisdiction: England and Wales

Contacts

Key documents

Security controls

  • TLS 1.2+ in transit; encryption at rest (Supabase, backups)
  • Microsoft work-account sign-in via Clerk; MFA on staff accounts
  • Default-deny RLS on every database table
  • Stripe webhook signature verification + idempotency
  • Audit log on every authenticated and admin action
  • Per-IP / per-user rate limiting on sensitive endpoints
  • CSP headers + CSRF origin checks on all state-changing endpoints
  • 90-second single-use signed URLs for package downloads
  • Admin panel served from an isolated subdomain when configured

Sub-processors (full list)

  • Stripe Payments Europe Ltd / Stripe Inc. — billing
  • Clerk Inc. — authentication
  • Supabase Inc. (EU/Dublin) — database + storage
  • Resend (Plus Five Five, Inc.) — transactional email
  • Vercel Inc. — hosting + edge delivery
  • Microsoft Corporation (Clarity) — marketing analytics only

30-day advance notice via customer portal + email before any change (DPA §5.4). Internal DPA acceptance register at docs/subprocessor-dpas.md.

Incident response

  • Personal-data breach notification within 72 hours of becoming aware (we aim for 48)
  • ICO notification within 72 hours where required (Art.33)
  • Customer notification without undue delay where high risk to data subjects (Art.34)
  • Reportable to: privacy@sharepointforge.co.uk