Security
Last Updated: February 2026
Our Security Commitment
SAR Portal is built with security integrated into every layer. We understand that you’re trusting us with sensitive personal data, and we take that responsibility seriously. This page describes the controls we have in place and how responsibility is shared between SAR Portal and our infrastructure provider.
Infrastructure Security
Cloud Platform
- Microsoft Azure: Enterprise-grade cloud infrastructure (EU region)
- EU Data Residency: All customer data stored and processed within the EU
- Geographic Redundancy: Data replicated with geo-redundant backups and automatic failover
- 99.5% Uptime SLA: High availability architecture
Encryption
- In Transit: TLS 1.2+ with HTTPS enforced via HSTS. All cookies marked Secure
- At Rest: AES-256 encryption for all stored data (Microsoft-managed keys)
- Key Management: HSM-backed key vault for all secrets and signing keys
- PII Hashing: Salted cryptographic hashing for post-anonymisation compliance verification
- File Integrity: Cryptographic hash computed on every uploaded document and retained for 7 years
Security Headers
All responses include security headers to protect against common web vulnerabilities:
- Content-Security-Policy (strict allowlist)
- Strict-Transport-Security (HSTS, 6-month max-age)
- X-Frame-Options (SAMEORIGIN)
- X-Content-Type-Options (nosniff)
- X-XSS-Protection
- Referrer-Policy (strict-origin-when-cross-origin)
- Permissions-Policy (disables unused browser APIs)
Application Security
Authentication & Access
- Enterprise Identity Management: Secure authentication via OAuth 2.0 / OpenID Connect
- Multi-Factor Authentication (MFA): Supported and configurable per tenant
- Role-Based Access Control (RBAC): Four defined roles — Admin, Case Manager, Reviewer, Read Only
- Session Management: Secure cookies with automatic timeout
Input Validation & File Security
- Deep File Validation: Uploaded files verified against actual content type (not just extensions)
- File Size Limits: Enforced per-file and per-request limits
- Path Traversal Prevention: Blob storage paths validated against malicious patterns
- Filename Sanitisation: Dangerous patterns rejected with character limits enforced
- reCAPTCHA Enterprise: Google reCAPTCHA Enterprise on all public forms
Rate Limiting
Rate limiting is applied to all public-facing endpoints to prevent abuse, brute-force attacks, and resource exhaustion. Specific limits vary by endpoint sensitivity.
AI Security
- Prompt Injection Guard: Input validation and injection detection on all AI inputs
- PII Redaction: Multi-layer detection combining multiple Azure AI services
- No Training on Customer Data: Documents processed by Azure OpenAI are not used for model training
- Quota Management: Per-tenant AI cost tracking with warnings and enforcement
- Graceful Degradation: AI features fail safely — files can still be uploaded when AI is unavailable
Data Protection
GDPR Compliance
- Data Processing Agreement (DPA): Available for all customers — see DPA
- Privacy by Design: Tenant isolation, PII log sanitisation, hashing, automatic anonymisation
- Right to Erasure: Full account and data deletion across all systems
- Data Portability: JSON and PDF export always permitted, even under subscription restrictions (GDPR Article 20)
- Legal Hold: Blocks deletion and anonymisation when litigation is pending, with full audit trail
Multi-Tenant Isolation
- Database Level: Tenant data is physically partitioned and isolated at the database layer
- Blob Storage: Tenant-scoped storage paths with time-limited, scoped access tokens
- No Cross-Tenant Access: Tenants cannot access each other’s data under any circumstance
PII Protection in Logs
Personal data is never stored in plaintext in application logs. All personal identifiers (emails, phone numbers, names, financial data) are masked or redacted before logging.
Operational Security
Monitoring & Detection
- Real-Time Monitoring: Alerting, diagnostics, and performance tracking
- Health Monitoring: Automated verification of critical service availability
- Intrusion Detection: Automated threat detection via Azure platform
- Centralised Logging: PII-safe telemetry (no raw personal data in logs)
Incident Response
- 72-Hour Notification: GDPR Article 33 compliant breach notification to data controllers
- Post-Incident Review: Root cause analysis and remediation
- Breach Documentation: All incidents and actions taken are documented
Security Practices
Development
- Secure SDLC: Security considered at design, implementation, and review stages
- Mandatory Code Review: All changes require peer review before merge
- Automated Dependency Scanning: Known vulnerabilities flagged during build
- Static Analysis: Code security analysis integrated into CI/CD pipeline
Connection Security
- Connection limits and timeouts configured to prevent resource exhaustion and slow-rate attacks
- CORS policy restricted to production-configured origins only — no wildcard origins
Shared Responsibility Model
SAR Portal follows the standard enterprise cloud shared responsibility model. It is important to understand which controls are provided by our infrastructure provider (Microsoft Azure) and which are implemented by us.
| Layer | Responsible Party |
|---|---|
| Physical data centres, cooling, power | Microsoft Azure |
| Network infrastructure and hardware | Microsoft Azure |
| OS and platform patching | Microsoft Azure |
| Infrastructure security certifications (ISO 27001, SOC 2) | Microsoft Azure |
| Application security and code | Sekhon IT Consultants Ltd. |
| Access control, RBAC, and audit logging | Sekhon IT Consultants Ltd. |
| Data encryption configuration | Sekhon IT Consultants Ltd. |
| Incident response and monitoring | Shared |
Compliance Posture
SAR Portal (Application Level)
- GDPR: Designed to support compliance with EU and UK data protection requirements
- Irish Data Protection: Registered with the Data Protection Commission (Ireland)
- Security Controls: Designed in alignment with recognised standards (such as ISO 27001), implemented on Microsoft Azure
- Vendor Self-Assessment: Regular internal security assessments conducted and available on request
Note: SAR Portal itself is not independently ISO 27001 or SOC 2 certified. The controls described on this page are based on vendor self-assessment. The underlying Azure infrastructure is independently certified by accredited third-party auditors. For a copy of our latest security compliance statement, contact security@sarportal.com.
Azure Platform Certifications (Inherited Infrastructure)
SAR Portal is built entirely on Microsoft Azure, inheriting their independently audited compliance certifications:
| Certification | Description | Audited By |
|---|---|---|
| ISO/IEC 27001 | Information security management | Independent third-party (BSI / EY) |
| ISO/IEC 27017 | Cloud security controls | Independent third-party |
| ISO/IEC 27018 | Protection of PII in cloud | Independent third-party |
| SOC 1 Type II | Financial reporting controls | Independent auditor (AICPA) |
| SOC 2 Type II | Security, availability, confidentiality | Independent auditor (AICPA) |
| SOC 3 | Public trust services report | Independent auditor (AICPA) |
| CSA STAR Level 2 | Cloud Security Alliance attestation | Independent third-party |
| GDPR | EU data protection compliance | Microsoft Legal (contractual) |
| C5 | German government cloud security standard | Independent third-party |
| ENS High | Spanish National Security Framework | Independent third-party |
For the complete list of Azure certifications, see Microsoft Service Trust Portal.
Sub-Processor Certifications
All sub-processors maintain enterprise security standards and have signed Data Processing Agreements:
| Sub-Processor | ISO 27001 | SOC 2 Type II | PCI DSS | Other |
|---|---|---|---|---|
| Microsoft Azure | Yes | Yes | — | ISO 27018, 27701, CSA STAR L2 |
| Azure OpenAI | Yes | Yes | — | ISO 42001 (AI), 27701 |
| Stripe | — | Yes | Level 1 | SOC 1, EU-US DPF |
| Twilio SendGrid | Yes | Yes | v4 | ISO 27017, 27018 |
| Google reCAPTCHA | * | * | — | *Inherited via Google Cloud |
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@sarportal.com
- We will acknowledge receipt within 24 hours
- We will investigate and provide updates on resolution
- We request that you do not publicly disclose the issue until we’ve had a chance to address it
Questions?
For security-related questions:
- Security Team: security@sarportal.com
- Data Protection Officer: dpo@sarportal.com