Security
Last updated: 30 June 2026
FT ClientFlow is built to handle sensitive client financial data for FCA-regulated firms. Security is a baseline requirement, not an add-on. This page describes the technical and organisational measures we have in place.
Encryption in transit and at rest
All traffic to and from the platform is encrypted with TLS 1.3. Data at rest is encrypted using AES-256 at the database layer.
Authentication & access control
Accounts are protected by Supabase Auth with secure password hashing. Optional two-factor authentication is available to every firm in Settings.
Data isolation
Each firm's data is logically isolated within the platform. Access to client records is scoped to authenticated users within that firm.
Infrastructure
The application is hosted on Vercel with database infrastructure on Supabase, both operating production environments with independent SOC 2-aligned controls.
Backups & continuity
Database backups run on a recurring schedule with point-in-time recovery available through our infrastructure provider.
Responsible disclosure
If you believe you've found a security issue, contact us immediately at security@fergusontech.co.uk. We investigate and respond to all reports.
Sub-processors
We use a small number of vetted sub-processors to operate the Service: Supabase (database & auth), Vercel (hosting), OpenAI (AI document generation), Resend (email delivery), Stripe (payments), SignWell (e-signatures), and Twilio (SMS, where enabled). Full detail is available in our Privacy Policy.
Reporting a vulnerability
We welcome reports from security researchers. Email security@fergusontech.co.uk with details and we will acknowledge within two business days. Please do not test against live client data or attempt to access accounts that are not your own.
Service availability & incident response
We monitor the platform continuously and aim for high availability in line with the standards expected of a service handling regulated client data. If an incident affects the availability or integrity of the service, we work to restore normal operation as quickly as possible and notify affected firms without undue delay. Formal numeric uptime and response-time SLAs are available as part of an enterprise agreement — contact us to discuss your firm’s requirements.
Data Processing Agreement
A standard-form Data Processing Agreement is available for every Firm. Enterprise customers requiring a bespoke or countersigned copy, or our current security questionnaire responses, can contact hello@fergusontech.co.uk.
Compliance roadmap
We are actively maturing our compliance posture as the platform scales, including independent security review and formal certification (e.g. ISO 27001 / SOC 2) as the firm grows.