Security

How we handle your data.

Bedrock is infrastructure for regulated firms. The ledger is the primary record of advice events, and firms depend on it being intact, confidential, and independently verifiable. This page explains how we hold up that bargain in concrete terms.

Data handling

Everything we do with customer data, stated plainly.

Data residency
AWS eu-west-2 (London). Data never leaves the UK region.
Encryption at rest
AES-256 via AWS KMS for object storage and AWS-managed KMS encryption for RDS.
Encryption in transit
TLS 1.2 minimum on all connections. HSTS with preload enforced on public domains.
Backup
Point-in-time recovery on RDS; S3 versioning with Object Lock (COMPLIANCE mode, 7-year retention).
Access control
Least-privilege IAM. Cognito JWT auth on user endpoints, hashed API keys on firm endpoints, MFA enforced for every user.
Isolation
Production API runs in a private VPC with no internet egress. All external AWS calls route via interface endpoints.

Cryptographic guarantees

The ledger's integrity does not depend on trusting us. Every record is hash-chained and signed so tampering is detectable by third parties.

Record hash
SHA-256 over the canonicalised record payload.
Chain hash
SHA-256 of the current record hash concatenated with the previous record's chain hash.
Signature
ECDSA P-256 over the chain hash. Signing keys held in AWS KMS; the public key is published at api.bedrockcompliance.co.uk/.well-known/signing-key for independent verification.
Immutability backup
Every record is also written to an S3 bucket with Object Lock in COMPLIANCE mode for 7 years — unalterable even by Bedrock.
Public verification
Any record can be verified without trusting Bedrock at verify.bedrockcompliance.co.uk or using the open-source @bedrockcompliance/notary package.

The open-source notary package is at github.com/bedrockcompliance/notary. The signing public key is published at api.bedrockcompliance.co.uk/.well-known/signing-key.

Sub-processors

A complete list of third parties that may process customer data on our behalf.

AWS (Amazon Web Services, Inc.)
Compute, storage, KMS, RDS, SQS. eu-west-2.
Vercel, Inc.
Marketing, dashboard, and public verifier hosting on Vercel Functions (Node.js). All sensitive processing is on our AWS infrastructure.
Resend (Resend, Inc.)
Transactional email delivery (account notifications, contact form, chatbot transcripts).
Anthropic (Anthropic PBC)
Marketing chatbot only. Never used for processing customer advice records.

Compliance & certifications

We're building the evidence base firms need to rely on us. Here's where we are.

SOC 2 Type I
Observation window in progress. Target report Q3 2026.
ISO 27001
Scoped; certification pursued after SOC 2 Type II.

Reporting a vulnerability

If you believe you've found a security issue in any Bedrock system, please email security@bedrockcompliance.co.uk. We'll acknowledge within one UK business day and keep you updated through to resolution. We do not currently run a bug bounty but will recognise reporters in our changelog with permission.

Contact security team
Bedrock AIAsk me anything about Bedrock

Hi! I'm Bedrock's AI assistant. I can answer questions about the product, pricing, compliance coverage, and integrations. What would you like to know?