Trust by Default. Not by Add-On.
Estates compliance data sits next to legal and clinical data on the sensitivity register. Proprietas is built for that: UK/EU hosting, encryption at rest and in transit, multi-tenant isolation enforced in the data layer, documents parsed in-house, and an audit log on every change. Where we're not yet certified, we say so.
What's in Place, Today.
Your application database runs on Railway (UK London region / EU); uploaded documents live in Cloudflare R2 (EU only); daily encrypted backups are kept 30 days in-region. Data at rest stays in the UK/EU. The few sub-processors that involve US processing (AI extraction, billing, edge delivery) are listed in full on the sub-processors page, each under EU Standard Contractual Clauses and the UK IDTA.
TLS in transit. Sensitive personal data such as contractor identifiers and lease tenant details is encrypted at the column level with AES-256-GCM, on top of provider disk and bucket encryption. Documents are served only through short-lived signed URLs (15-minute expiry), never public links.
Every PDF is parsed on our own infrastructure: text extraction and OCR for scanned pages run locally, so the file itself is never sent to any third-party AI. Most documents are then classified and read by deterministic logic with no external AI at all. Only where AI extraction is genuinely needed does the extracted text (never the file or page images) go to Anthropic over TLS, and results are cached so the same content is never re-processed.
Every record carries an organisation ID and every query is scoped to it; a query for another organisation's data returns zero rows. One customer's data is structurally invisible to another: not policy, plumbing.
Every compliance, lease, contractor, work-order and billing write produces an audit event (actor, before, after, IP, user-agent) in the same database transaction as the change itself. Exportable as an audit pack for your insurer, Ofsted, CQC or an ISO auditor.
Multi-factor authentication is mandatory for organisation admins. Sessions are httpOnly, secure, same-site cookies, revocable server-side, and invalidated automatically when a user's role changes.
Contractors and tenants see only their own jobs and data, enforced at the API guard layer. Internally, production access is limited to the founding team on a least-privilege basis; we formalise and expand these controls as the team grows.
Every third party that touches your data is listed with its purpose, data categories, jurisdiction and transfer mechanism, and we give account admins 30 days' notice before adding one. A signed Data Processing Agreement (UK GDPR Article 28) is part of sign-up, before any personal data is stored.
Sectors That Carry Real Data-Protection Liability.
DfE Cyber Security Standards for Schools expect MFA, encrypted backups and supplier-risk assessment: in place today, with an audit pack that maps to them.
GDPR Article 32 plus CQC data-protection expectations: published sub-processor list, encryption at rest, a documented retention schedule, and a data-protection contact.
Per-client data isolation enforced in the data layer. Your client A's data is invisible to client B: not by policy, by query scope.
A DSPT-aligned posture: UK/EU hosting, encryption everywhere, audit logging on every change, published sub-processor register. Single-tenant deployment available on Enterprise where a DPIA requires it.
The Questions Every DPIA Asks.
If your procurement pack has a question we haven't covered here, email security@proprietas.app and we'll answer in writing.
Built So the DPO and the Estates Lead Can Sign the Same Document.
14-day trial. UK/EU hosting at every tier, a signed DPA as part of sign-up, and single-tenant deployment available where procurement requires it.