Security & trust
Built for compliance — including our own.
Multi-tenant isolation, Microsoft Entra SSO with Conditional Access MFA, encryption at rest and in transit, Azure UK South hosting, and GDPR-aligned processing. US residency on the roadmap.
We treat security like a product feature, not a checkbox. Hovermarks is built on the same Azure primitives you'd use to run a regulated workload of your own.
The pillars of our trust posture
Each one is documented in our trust packet — available under NDA.
Multi-tenant isolation
Every customer gets a logically isolated tenant. Tenant isolation is enforced through query filters that apply automatically to every database read, scoped to the authenticated tenant claim. Foundational tests fail loudly the moment a query forgets the tenant filter.
Microsoft Entra ID SSO
Microsoft Entra ID with PKCE; per-tenant Conditional Access for MFA enforcement. No shared service accounts, no orphaned access.
Microsoft sign-in by default — MFA from day one
Every user signs in with their Microsoft account (Email + a one-time code Microsoft sends them, via Entra External ID). No Hovermarks password to set or steal. Organisations on Professional and Enterprise can layer their own Entra Conditional Access on top to enforce MFA, device compliance, or trusted-network rules. MFA is enforced at sign-in by the identity provider (Microsoft Entra External ID for customers, Microsoft Entra ID for platform admins). Session integrity is verified on every API call via signed JWTs with short expiry.
Encryption at rest and in transit
TLS 1.2+ in transit on every request. Encryption at rest via Microsoft-managed keys (Azure SQL TDE + Storage SSE), with strict per-tenant data isolation enforced at the application layer.
Data residency: Azure UK South
Customer data is hosted in Microsoft Azure UK South — a Tier IV-equivalent Microsoft datacentre with the same security controls as Azure US regions. Data is not replicated outside the UK without your explicit consent. UK GDPR is functionally equivalent to GDPR; our DPA includes EU Standard Contractual Clauses for cross-border transfer. US data residency in Azure East US is on the roadmap for Enterprise customers; talk to us if it's a procurement requirement.
GDPR-aligned by design
Soft-delete with 30-day restore window. Per-tenant data export to JSON. Hard-delete after retention with blob cleanup and a tamper-evident ledger entry. Customer data hosted in Azure UK South under UK GDPR (functionally equivalent to GDPR), with EU SCCs available in our DPA.
Tamper-evident audit log
Every meaningful action — sign-in, asset edit, inspection submit, certificate export — is recorded with actor, timestamp, and IP, on an append-only log.
Responsible disclosure
Found something? Email security@hovermark.co.uk. We acknowledge reports promptly and credit researchers who would like to be named.
§ 99/Action
Stop chasing paperwork. Start proving compliance.
Hovermarks is in active development. Try the preview today, or drop your email and we'll let you know the moment we hit general availability.
§ 99.1/Waitlist
Notify me at general availability
One email when we go live. That's it.