CURCLEBY HERRIDGE
Trust & Security

Built to be trusted with
compliance work.

Curcle handles your customers’ sites, certificates and invoices. The controls below are how we keep that data safe — and the standards we’re working towards next.

What we have in place today

Concrete controls built into the platform — not aspirations.

Access & identity

Every action in Curcle is tied to a named user with an enforced role.

  • Four-role access control (admin, engineer, viewer, customer) enforced server-side on every request
  • Bcrypt-hashed passwords with a minimum-strength policy and failed-login logging
  • Session-based auth with a 30-minute idle timeout and server-side session regeneration on login
  • Optional SSO (SAML / OIDC) on enterprise tenants

Data protection

Customer data is isolated per tenant and encrypted in transit and at rest.

  • TLS in transit; PostgreSQL and object storage encrypted at rest
  • Strict tenant isolation, enforced at the query layer and verified by an automated lint in CI
  • GDPR tooling built-in: customer-initiated data export, anonymisation, and deletion requests
  • Your own NICEIC, Gas Safe and trade accreditation numbers print on every certificate as your credentials — not a generic hard-coded logo
  • Audit-log retention with admin-controlled purge windows
  • A documented sub-processor list (hosting, storage, payments, email, AI features) — published in our Data Processing Agreement

Platform hardening

The application ships with the controls a modern SaaS is expected to have.

  • Helmet, CSP, HSTS, X-Frame-Options and Permissions-Policy headers on every response
  • CSRF protection (double-submit cookie) and per-route rate limiting
  • Zod-validated request bodies, with a CI gate blocking loose passthrough schemas
  • Stripe webhook signatures verified — invalid signatures rejected with a 400 and a structured warning log

Operations & resilience

We assume something will go wrong, and rehearse what happens next.

  • Documented backup and disaster-recovery runbook with stated RTO / RPO
  • Weekly dependency vulnerability scan + per-artifact audit gate in CI
  • Incident-response runbook with on-call rota and a defined error budget
  • Audit-trail of administrative actions across the platform

Certifications roadmap

We’d rather be straight about where we are than dress up a badge we don’t yet hold.

Cyber Essentials (IASME)

In progress

Working through the NCSC five-control questionnaire — firewalls, secure configuration, patching, access control, and malware protection. Targeting self-assessed certification first, then Cyber Essentials Plus.

Cyber Essentials Plus

Planned

External-assessor verified version — required by most UK public-sector, NHS and large facilities-management buyers. Scheduled within six months of basic certification.

SOC 2 (Type I → Type II)

Planned

Triggered by customer demand. We will pursue SOC 2 when enterprise prospects start requiring it in procurement; until then, the controls below already cover most of the substantive requirements.

Reporting a security issue

If you believe you’ve found a vulnerability in Curcle, please report it privately rather than disclosing publicly. Email support@curcle.co.uk with “Security issue” in the subject. We’ll acknowledge within 2 working days and keep you updated through to fix.

Contact us Sub-processors & DPA