Security policy

We protect your data at every stage of its lifecycle.

• At restSensitive documents and proprietary files are stored using AES-256 encryption, managed by our infrastructure providers.
• In transitData moving between your device and our servers is protected by TLS 1.3, preventing interception or tampering.
• Database securityTenant-scoped queries enforced in the data layer ensure users can only access data they are explicitly authorised to see.

We employ a "siloed architecture" to prevent data leakage between organisations.

• Logical partitioning. Your data is strictly isolated from other organisations. The platform uses authenticated session tokens scoped to an organisation to enforce tenancy boundaries on every request.
• Access control. We follow the principle of least privilege. Advancii staff have no proactive access to your raw data; administrative access is strictly logged and restricted to support, troubleshooting, or legal obligations.

• Passwordless authentication. We use passwordless sign-in via single-use email links and WebAuthn-backed passkeys. No reusable passwords are stored.
• Session protection. HTTP-only and SameSite cookies, short-lived tokens, and CSRF protection on state-changing requests reduce session-theft and forgery risks.
• Hardened defaults. We apply strict transport security, Content Security Policy, and input validation across user-facing surfaces.

Advancii minimises your risk by never touching your sensitive financial data.

• Zero-footprint paymentsWe do not store, process, or transmit credit card numbers or bank details on our servers.
• PCI-DSS providersAll transactions are handled by industry-leading, PCI-DSS compliant payment providers, isolated from our primary data environment.

You are the gatekeeper of your data.

• Explicit authorisation. Integrations with partners (e.g., IP insurance or financing) are never automatic. Data is only shared when you trigger a specific workflow.
• Revocable access. You can revoke third-party permissions at any time through your dashboard. Once revoked, access is severed immediately.

Operational providers that may process Customer personal data on our behalf are listed at advancii.com/sub-processors. Each is engaged under a written contract that imposes equivalent data-protection obligations.

• Infrastructure reliability. The platform is designed for high availability on top-tier cloud providers with redundancy across availability zones. Live status is published at status.advancii.com.
• Backups. Production databases are backed up with point-in-time recovery. Backup integrity is tested on a recurring schedule.
• Regular audits. We periodically review our codebase, dependencies, and infrastructure to patch vulnerabilities and stay ahead of emerging threats.

• Customer notificationWhere a confirmed personal data breach affects Customer data, Advancii notifies the Customer without undue delay, and in any event within 48 hours of becoming aware.
• Regulator notificationWhere Advancii acts as a controller, we notify the UK Information Commissioner's Office within 72 hours of becoming aware where required by UK GDPR.
• Post-incidentAffected Customers receive a written post-incident summary covering root cause, scope, and remediation steps.

We welcome reports from security researchers and treat coordinated disclosure as a partnership. Please review our Acceptable Use Policy before testing.

• ScopeProduction services hosted under advancii.com and our app subdomains. Out of scope: third-party services we link to, denial-of-service attacks, social engineering of staff, and physical attacks.
• How to reportEmail admin@advancii.com with subject "Security disclosure". Provide a clear description, reproduction steps, and any proof-of-concept material.
• Our commitmentWe acknowledge reports within 5 business days, keep you updated on triage and remediation, and credit researchers on request once a fix is shipped.
• Safe harbourWe will not pursue or support legal action against researchers who act in good faith, stay within scope, and follow this disclosure process.

Our protocols are designed to meet the standards of UK and EU GDPR. Customer-facing legal commitments are documented in the Privacy Policy and in the data processing terms agreed with each Customer.

For questions about our security controls, or to report a suspected vulnerability: