Security & data

How we protect your operational data.

SubRound holds driver, payroll and carrier data for UK parcel subcontractors. Here's exactly where it lives, how it's encrypted, who can access it, and what we do when something goes wrong.

Last updated: 7 May 2026

Where your data lives

Every SubRound customer runs on a dedicated virtual private server — not a shared multi-tenant database. Your driver records, rotas and carrier statements are physically isolated from every other operator's data.

Hosting

Contabo GmbH — London datacentre (UK).

Data residency

UK only. Data does not leave the country in normal operation.

Database

PostgreSQL 17, encrypted disk volumes, listening only on localhost.

Application

Next.js, containerised, running behind a Caddy reverse proxy.

Encryption

  • In transit: TLS 1.2+ for every connection. HTTPS is automatic and certificates are renewed via Let's Encrypt.
  • At rest: server disks are encrypted at the hosting layer. Database volumes are not exposed to the public internet.
  • Passwords: hashed with bcrypt (per-user salt). We never see, store, or transmit your users' plaintext passwords.
  • Sessions: JWT-based, signed with a per-tenant secret rotated on suspicion.

Backups & recovery

Every customer instance runs an automated nightly backup at 03:15 UTC. Backups are encrypted and retained on the following schedule:

  • 14 daily backups (rolling)
  • 8 weekly backups (rolling)

Recovery point objective (RPO) is 24 hours. Recovery time objective (RTO) for a full restore is under 1 hour. Restore drills are documented in our runbook.

Access control

  • Customer side: role-based access (admin / dispatcher / driver). Multi-factor authentication available for all admin users.
  • Our side: SSH access to customer servers is restricted to the founder via key-based authentication. Passwords are disabled. We do not retain any standing access tokens for customer environments.
  • Audit trail: every settings change, payroll run, and data export is logged with user + timestamp.

Subprocessors

The following third-party services may process limited customer data. We use no other subprocessors.

SubprocessorPurposeDataRegion
Contabo GmbHServer hostingAll operational data (encrypted at rest)UK
ResendTransactional emailRecipient name + email + message bodyEU/US
Let's EncryptTLS certificate issuanceDomain name onlyUS

If we add a subprocessor, customers are notified at least 14 days in advance.

Compliance & registrations

UK GDPR / Data Protection Act 2018

Data Protection Officer designated. Customers act as data controller; SubRound acts as data processor under a written DPA.

ICO registration In progress

Information Commissioner's Office data-controller registration is in progress for the SubRound entity.

ISO 27001 / SOC 2

Not certified. Our practices align with the controls but we have not undertaken formal certification.

Companies House

SUBROUND LTD — UK-registered private limited company (formation in progress).

Incident response

If we believe customer data has been accessed, lost or altered without authorisation:

  • Affected customers are notified within 24 hours of confirmation.
  • The ICO is notified within 72 hours where required under UK GDPR Article 33.
  • A written post-mortem describing root cause, impact and remediation is shared with affected customers within 14 days.

Reporting a vulnerability

If you've found a security issue in SubRound, please email security@subround.com. We respond within 48 hours and don't pursue good-faith researchers.

Data export & deletion

You can export all of your operational data (drivers, vehicles, rotas, invoices, statements) as CSV at any time from the platform. On contract termination, we permanently delete your data within 30 days, with backups purged on the next rotation cycle.