Is DefendDomain ISO 27001 certified?

We operate an Information Security Management System built and maintained in line with ISO/IEC 27001:2022, and we are actively pursuing formal certification, targeted for 2026. We are happy to share our current ISMS documentation with prospective customers under NDA.

Do you comply with GDPR?

Yes. As we hold personal data, we comply with UK GDPR and EU GDPR. We act as a data processor for the personal data you put into the platform, with your organisation remaining the data controller. We are the controller for the account and contact data we collect directly. Our processing is aligned to GDPR Article 32.

In which countries is my data stored?

Our primary production database is hosted in the AWS eu-west-2 (London) region, keeping data within the UK and EU. Encrypted backups are stored on AWS infrastructure. We can provide full data-residency detail on request.

What personal data do you store?

Account data for your users, such as name, email and notification preferences, plus the domain and threat data required to deliver the service. We do not store payment card data.

What level of encryption do you use?

Data is encrypted with TLS 1.2 or higher in transit, with HTTPS enforced, and with AES-256 at rest. Encryption keys are held in FIPS 140-2 validated hardware security modules, and customer secrets are additionally protected in an encrypted vault.

How do you keep one customer's data separate from another's?

Every table holding customer data enforces Row-Level Security, so one customer cannot access another's data even if application logic were to fail. Production, preview and development environments are fully separated, with no shared databases or credentials.

Do you perform penetration tests?

We commission third-party penetration tests and vulnerability assessments of our platform on an annual basis as part of our security programme. Summary results can be shared with customers under NDA.

Do you have a backup and disaster recovery plan?

Yes. We take daily encrypted backups with 7-day point-in-time recovery, run on multi-region infrastructure with automatic failover, and carry out annual restore drills that we record as audit evidence.

Do you use AI, and is my data used to train it?

We use AI to help confirm whether a suspected site is genuinely impersonating a customer's brand. This analysis runs on threat data via an API. Your data is not used to train external AI models.

How do I request data deletion?

Send erasure and privacy requests to security@defenddomain.com. We acknowledge requests promptly and complete them within the one-month GDPR statutory deadline, verifying identity and any legal retention obligations first.

How can I report a security concern or vulnerability?

Please contact security@defenddomain.com. We take all reports seriously and log, triage and act on them through our incident management process.

Can you provide more detail for our security review?

Yes. Contact security@defenddomain.com and we will happily answer security questionnaires, walk through our controls, and share further documentation under NDA.

Trust & security

Security is the product,
not a feature.

DefendDomain protects organisations from brand and domain impersonation. Our customers trust us with sensitive information about the threats targeting them, so we hold ourselves to the same standard we help them enforce.

Talk to our security team Read our FAQ

ISO 27001-aligned

UK & EU GDPR

AES-256 at rest

UK / EU hosted

MFA enforced

Our commitment

Security is not a department here. It is the whole point of what we build.

DefendDomain Ltd is committed to protecting the confidentiality, integrity and availability of all customer data. We watch the internet for impersonations of our customers' brands and domains, gather the evidence, and help take the impersonating sites down. That work only matters if our customers can trust how we handle the information they share with us.

We operate an Information Security Management System built and maintained in line with ISO/IEC 27001:2022 and GDPR Article 32, and we are actively pursuing formal ISO 27001 certification, targeted for 2026. Our ISMS is owned at board level and reviewed continually as our business grows.

What we hold ourselves to

Our security objectives

A small set of clear, measurable objectives. Our ISMS gives us the framework to set, monitor, review and achieve them, and leadership reviews it regularly.

Zero high-impact data breaches

The standard we design and operate to, every single year.

Achieve and maintain ISO 27001

Our ISMS is built to ISO/IEC 27001:2022 and we are pursuing certification, targeted for 2026, with independent external audits every year.

Encrypt everything, everywhere

All customer data is encrypted in transit and at rest, with no exceptions for production systems.

Test ourselves independently

We commission annual third-party penetration tests and vulnerability assessments of our platform.

Improve continually

Regular risk reviews, internal audits and management reviews, with a target of at least ten security improvements every year.

Be transparent

We are happy to discuss our security in detail and answer any questions from customers and prospects.

How we protect your data

Encrypted in transit and at rest. No exceptions.

All company and customer data is encrypted both at rest and in transit. Deprecated algorithms and TLS versions below 1.2 are prohibited on production systems.

At rest

AES-256 or stronger, with encryption keys held in FIPS 140-2 validated hardware security modules.

In transit

TLS 1.2 or higher, with HTTP automatically redirected to HTTPS and certificates issued and renewed automatically.

Passwords

Never stored in plaintext. Authentication uses modern, salted bcrypt hashing.

Customer secrets

Webhook URLs, SSO metadata and SIEM tokens are encrypted in a managed vault and decrypted only at the moment of use. We store opaque references, not the secrets themselves.

Where your data lives

Hosted in the UK and EU.

Our primary production database is hosted in the AWS eu-west-2 (London) region, keeping customer data within the UK and EU for our UK and European customers. Backups are stored encrypted on AWS infrastructure.

We can provide region and data-residency detail to prospective customers on request.

Defence in depth, by design

From infrastructure to incident response, every layer is built to a security-first standard and backed by audit evidence.

Top-tier managed infrastructure

Our application and APIs run on a serverless edge network, and our database, authentication and file storage run on managed cloud, all built on AWS. A small set of always-on workers process public threat feeds as immutable, outbound-only containers with no path into the customer database. There is no SSH access and no raw database port exposed to the public, so the attack surface stays deliberately small.

Strict access control and tenant isolation

Row-Level Security is enforced on every table holding customer data, so one customer cannot see another's even in the unlikely event of an application bug. Least privilege governs all access, multi-factor authentication is enforced across the services we build on, and SSO via SAML with role-based access is available for customer teams.

Network security by design

A single inbound entry point through our edge network, protected by WAF rules and automatic DDoS protection. The database is not exposed directly to the public internet; all access runs through a managed, authenticated API gateway with Row-Level Security enforced on every request, never a raw database connection. Authenticated, signed callbacks using HMAC-SHA256 with timestamp validation, plus per-endpoint rate limiting, protect our internal services from tampering and replay.

Strong separation of environments

Production and development are fully separated, each with its own credentials and data. Engineers develop against a fully local copy of the stack, so production secrets never touch a developer laptop and development systems are never exposed to the internet.

Backup, recovery and resilience

Daily encrypted AES-256 backups with 7-day point-in-time recovery. Multi-region edge with automatic failover, and stateless functions that recover by redeployment. We run annual restore drills, recorded in our audit evidence, to prove our backups actually work.

Secure development

Controls span the whole software development lifecycle: source control, build and deployment, secrets management and observability, governed by our Secure Development Lifecycle Policy. Every credential is environment-specific, and access to source control and infrastructure is protected by MFA.

Incident management

A documented incident process logs every incident, near-miss and false positive, and each is followed by a postmortem so we learn and improve. Non-conformities are reviewed by management within 24 hours and we aim to resolve them within 30 days, sooner where an issue is high-impact or customer-facing.

People and training

Security is everyone's job here. Our team completes recurring information security training covering compliance, how the web works, encryption and identity, email infrastructure and the threat landscape. Training is tracked and refreshed, and onboarding and offboarding follow a documented checklist.

Data protection & privacy

Built for UK and EU GDPR

We minimise the personal data we hold, are clear about why we hold it, and honour data subject rights. Erasure and privacy requests can be sent to security@defenddomain.com.

What we hold

Account information for your users, such as name, email and notification preferences, plus the domain and threat data needed to deliver the service. We do not store payment card data.

Right to erasure

We act on valid erasure requests within the one-month GDPR statutory deadline, using a documented mask-don't-break approach that removes identifying information while preserving the integrity of audit and billing records.

Retention

Personal data tied to a user account is retained for the life of the account plus a short wind-down window, after which it is masked or deleted.

Backups

Personal data in backups is overwritten by our normal rotation, typically within 7 days.

Sub-processors

A small, carefully chosen set of partners

All reputable platforms with their own strong security postures. Every integration is outbound-only and uses environment-specific credentials.

Sub-processor	Purpose	Notes
Supabase (on AWS)	Database, authentication, file storage, secrets vault	Primary store for application data. AES-256 at rest, hosted in AWS eu-west-2.
Vercel (on AWS)	Application hosting, serverless APIs, edge network	Hosting, WAF and DDoS protection.
Railway	Always-on workers processing public threat-data feeds	Outbound-only, holds no PII, no access to the customer database.
Stripe	Payment processing	PCI DSS compliant. No card data stored by DefendDomain.
Resend	Transactional email and alerts	—
Twilio	SMS threat alerts	Optional alerting channel.
HubSpot	CRM for prospect and customer contact data	—
Microsoft 365 / SharePoint	Internal documents and email	AES-256 / BitLocker at rest.
OpenAI	AI analysis of suspected impersonation sites	Used to confirm threat intent via API. Not used to train external models.
Google & Bing Search	Content search and search-engine delisting	Part of detection and remediation.

Supabase (on AWS)

Database, authentication, file storage, secrets vault

Primary store for application data. AES-256 at rest, hosted in AWS eu-west-2.

Vercel (on AWS)

Application hosting, serverless APIs, edge network

Hosting, WAF and DDoS protection.

Railway

Always-on workers processing public threat-data feeds

Outbound-only, holds no PII, no access to the customer database.

Stripe

Payment processing

PCI DSS compliant. No card data stored by DefendDomain.

Resend

Transactional email and alerts

Twilio

SMS threat alerts

Optional alerting channel.

HubSpot

CRM for prospect and customer contact data

Microsoft 365 / SharePoint

Internal documents and email

AES-256 / BitLocker at rest.

OpenAI

AI analysis of suspected impersonation sites

Used to confirm threat intent via API. Not used to train external models.

Google & Bing Search

Content search and search-engine delisting

Part of detection and remediation.

We can provide a current, versioned sub-processor list on request.

Compliance & certifications

Aligned to industry standards

Our information security programme is built and operated in line with the ISO/IEC 27001:2022 standard and GDPR, with independent certification targeted for 2026.

ISO/IEC 27001:2022

ISMS built and operated in line with the standard. Certification, targeted for 2026.

UK GDPR / EU GDPR

Compliant, aligned to GDPR Article 32.

PCI DSS (payments)

Handled by Stripe. DefendDomain stores no card data.

Frequently asked questions

The questions security teams ask us most often when running their reviews.

Policy statement

Scope

The scope of this policy is the development and delivery of the DefendDomain platform (https://www.defenddomain.com) by DefendDomain Ltd, including the software and systems that support it.

Information security objectives

DefendDomain Ltd is committed to protecting the confidentiality, integrity, and availability of all customer data. Our information security objectives are to:

Achieve zero high-impact data breaches per year.
Build and maintain an ISMS aligned to ISO/IEC 27001:2022 and achieve certification which requires external audits every year.
Commission annual third-party penetration testing and vulnerability assessments of the platform.
Continually improve the ISMS, delivering at least ten Opportunities for Improvement (OFIs) each year through regular risk reviews, internal audits and management reviews.
Be transparent: maintain an information security overview page at https://www.defenddomain.com/security and make further information available on request via security@defenddomain.com

Our ISMS provides the framework for setting, monitoring, reviewing and achieving these objectives.

David Batey

CTO, DefendDomain Ltd

Last updated 2 June 2026

Built security-first, so you can trust us with what matters.

See how DefendDomain protects organisations across the US, UK and EU from brand and domain impersonation.

Talk to our security team Book a demo

Security is the product,not a feature.