Security
Last Updated: May 2026
Our Security Commitment
SAR Portal is built with security integrated into every layer. We understand that you’re trusting us with sensitive personal data, and we take that responsibility seriously. This page describes the controls we have in place and how responsibility is shared between SAR Portal and our infrastructure provider.
Infrastructure Security
Cloud Platform
- Microsoft Azure: Enterprise-grade cloud infrastructure (EU region)
- EU Data Residency: All customer data stored and processed within the EU
- Geographic Redundancy: Data replicated with geo-redundant backups and automatic failover
- 99.5% Uptime SLA: High availability architecture
Encryption
- In Transit: TLS 1.2+ with HTTPS enforced via HSTS. All cookies marked Secure
- At Rest: AES-256 encryption for all stored data (Microsoft-managed keys)
- Key Management: HSM-backed key vault for all secrets and signing keys
- PII Hashing: Salted cryptographic hashing for post-anonymisation compliance verification
- File Integrity: Cryptographic hash computed on every uploaded document and retained for 7 years
Security Headers
All responses include security headers to protect against common web vulnerabilities:
- Content-Security-Policy (strict allowlist)
- Strict-Transport-Security (HSTS, 6-month max-age)
- X-Frame-Options (SAMEORIGIN)
- X-Content-Type-Options (nosniff)
- X-XSS-Protection
- Referrer-Policy (strict-origin-when-cross-origin)
- Permissions-Policy (disables unused browser APIs)
Threat Detection & Malware Scanning
- Microsoft Defender for Storage v2 — every uploaded document is scanned for malware on upload by Microsoft’s malware engine running in the same EEA region as the storage account (West Europe / Netherlands). File content does not leave the EEA. Scan results are tagged on each blob.
- Sensitive-Data Discovery — automated classification of stored documents by sensitive-data category using Microsoft Purview classifiers, running in the same EEA region. Results applied as blob index tags so we know what categories of data are stored where.
- Microsoft Defender for Cloud (Standard tier) — continuous threat detection, security recommendations and anomalous-activity alerts across App Service, Storage, Key Vault, Cosmos DB and the ARM control plane. Telemetry stored in the same Azure geo as the protected resources.
Application Security
Authentication & Access
- Enterprise Identity Management: Secure authentication via OAuth 2.0 / OpenID Connect
- Multi-Factor Authentication (MFA): Supported and configurable per tenant
- Role-Based Access Control (RBAC): Four defined roles — Admin, Case Manager, Reviewer, Read Only
- Session Management: Secure cookies with automatic timeout
Input Validation & File Security
- Deep File Validation: Uploaded files verified against actual content type (not just extensions)
- File Size Limits: Enforced per-file and per-request limits
- Path Traversal Prevention: Blob storage paths validated against malicious patterns
- Filename Sanitisation: Dangerous patterns rejected with character limits enforced
- reCAPTCHA Enterprise: Google reCAPTCHA Enterprise on all public forms
Rate Limiting
Rate limiting is applied to all public-facing endpoints to prevent abuse, brute-force attacks, and resource exhaustion. Specific limits vary by endpoint sensitivity.
AI Security
- Prompt Injection Guard: Input validation and injection detection on all AI inputs
- PII Redaction: Multi-layer detection combining multiple Azure AI services
- No Training on Customer Data: Documents processed by Azure OpenAI are not used for model training
- Quota Management: Per-tenant AI cost tracking with warnings and enforcement
- Graceful Degradation: AI features fail safely — files can still be uploaded when AI is unavailable
Data Protection
GDPR Compliance
- Data Processing Agreement (DPA): Available for all customers — see DPA
- Privacy by Design: Tenant isolation, PII log sanitisation, hashing, automatic anonymisation
- Right to Erasure: Full account and data deletion across all systems
- Data Portability: JSON and PDF export always permitted, even under subscription restrictions (GDPR Article 20)
- Legal Hold: Blocks deletion and anonymisation when litigation is pending, with full audit trail
Multi-Tenant Isolation
- Database Level: Tenant data is physically partitioned and isolated at the database layer
- Blob Storage: Tenant-scoped storage paths with time-limited, scoped access tokens
- No Cross-Tenant Access: Tenants cannot access each other’s data under any circumstance
PII Protection in Logs
Personal data is never stored in plaintext in application logs. All personal identifiers (emails, phone numbers, names, financial data) are masked or redacted before logging.
Operational Security
Monitoring & Detection
- Real-Time Monitoring: Alerting, diagnostics, and performance tracking
- Health Monitoring: Automated verification of critical service availability
- Intrusion Detection: Automated threat detection via Azure platform
- Centralised Logging: PII-safe telemetry (no raw personal data in logs)
Incident Response
- 72-Hour Notification: GDPR Article 33 compliant breach notification to data controllers
- Post-Incident Review: Root cause analysis and remediation
- Breach Documentation: All incidents and actions taken are documented
Security Practices
Development
- Secure SDLC: Security considered at design, implementation, and review stages
- Mandatory Code Review: All changes require peer review before merge
- Automated Dependency Scanning: Known vulnerabilities flagged during build
- Static Analysis: Code security analysis integrated into CI/CD pipeline
Connection Security
- Connection limits and timeouts configured to prevent resource exhaustion and slow-rate attacks
- CORS policy restricted to production-configured origins only — no wildcard origins
Shared Responsibility Model
SAR Portal follows the standard enterprise cloud shared responsibility model. It is important to understand which controls are provided by our infrastructure provider (Microsoft Azure) and which are implemented by us.
| Layer | Responsible Party |
|---|---|
| Physical data centres, cooling, power | Microsoft Azure |
| Network infrastructure and hardware | Microsoft Azure |
| OS and platform patching | Microsoft Azure |
| Infrastructure security certifications (ISO 27001, SOC 2) | Microsoft Azure |
| Application security and code | Sekhon IT Consultants Ltd. |
| Access control, RBAC, and audit logging | Sekhon IT Consultants Ltd. |
| Data encryption configuration | Sekhon IT Consultants Ltd. |
| Incident response and monitoring | Shared |
Compliance Posture
SAR Portal (Application Level)
- GDPR: Designed to support compliance with EU and UK data protection requirements
- Irish Data Protection: Registered with the Data Protection Commission (Ireland)
- Security Controls: Designed in alignment with recognised standards (such as ISO 27001), implemented on Microsoft Azure
- Cyber Essentials: SAR Portal is operated by Sekhon IT Consultants Ltd., a Cyber Essentials certified organisation (see below)
- Vendor Self-Assessment: Regular internal security assessments conducted and available on request
Note: SAR Portal itself is not independently ISO 27001 or SOC 2 certified. The controls described on this page are based on vendor self-assessment. The Cyber Essentials certification is held by the operating company (Sekhon IT Consultants Ltd.), not by the SAR Portal product as a separate certified entity. The underlying Azure infrastructure is independently certified by accredited third-party auditors. For a copy of our latest security compliance statement, contact security@sarportal.com.
Cyber Essentials Certification
SAR Portal is operated by Sekhon IT Consultants Ltd., which holds Cyber Essentials certification.
Cyber Essentials is a UK Government-backed cyber security scheme, described by the National Cyber Security Centre as the minimum cyber security standard recommended by Government for organisations of all sizes. The scheme is aligned to five technical control areas: secure configuration, user access control, malware protection, security update management, and firewalls.
This certification supports our wider security approach, alongside Microsoft Azure EU-resident hosting, encryption in transit and at rest, role-based access control, audit logging, tenant isolation and the secure data handling processes described elsewhere on this page.
Cyber Essentials forms part of our security baseline. It does not, on its own, guarantee freedom from cyber security vulnerabilities, and we do not present it as such.
Certificate holder: Sekhon IT Consultants Ltd. Certification: Cyber Essentials Independent verification: The certificate can be verified via the BlockMark Registry. BlockMark Registry is used by IASME for digital certificates, helping make certificates and badges secure, transparent and verifiable. Certificates can also be searched through the official IASME / NCSC Cyber Essentials certificate search.
What this means in plain English
The company that builds and operates SAR Portal has been certified against the UK Government-backed Cyber Essentials baseline cyber security controls.
SAR Portal the product is not separately certified. The certification applies to the operating organisation, Sekhon IT Consultants Ltd.
For procurement teams, the certificate is verifiable using the link above, and a copy can be supplied on request alongside our due-diligence pack.
Azure Platform Certifications (Inherited Infrastructure)
SAR Portal is built entirely on Microsoft Azure, inheriting their independently audited compliance certifications:
| Certification | Description | Audited By |
|---|---|---|
| ISO/IEC 27001 | Information security management | Independent third-party (BSI / EY) |
| ISO/IEC 27017 | Cloud security controls | Independent third-party |
| ISO/IEC 27018 | Protection of PII in cloud | Independent third-party |
| SOC 1 Type II | Financial reporting controls | Independent auditor (AICPA) |
| SOC 2 Type II | Security, availability, confidentiality | Independent auditor (AICPA) |
| SOC 3 | Public trust services report | Independent auditor (AICPA) |
| CSA STAR Level 2 | Cloud Security Alliance attestation | Independent third-party |
| GDPR | EU data protection compliance | Microsoft Legal (contractual) |
| C5 | German government cloud security standard | Independent third-party |
| ENS High | Spanish National Security Framework | Independent third-party |
For the complete list of Azure certifications, see Microsoft Service Trust Portal.
Sub-Processor Certifications
All sub-processors maintain enterprise security standards and have signed Data Processing Agreements:
| Sub-Processor | ISO 27001 | SOC 2 Type II | PCI DSS | Other |
|---|---|---|---|---|
| Microsoft Azure | Yes | Yes | — | ISO 27018, 27701, CSA STAR L2 |
| Azure OpenAI | Yes | Yes | — | ISO 42001 (AI), 27701 |
| Stripe | — | Yes | Level 1 | SOC 1, EU-US DPF |
| Twilio SendGrid | Yes | Yes | v4 | ISO 27017, 27018 |
| Google reCAPTCHA | * | * | — | *Inherited via Google Cloud |
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@sarportal.com
- We will acknowledge receipt within 24 hours
- We will investigate and provide updates on resolution
- We request that you do not publicly disclose the issue until we’ve had a chance to address it
Questions?
For security-related questions:
- Security Team: security@sarportal.com
- Data Protection Officer: dpo@sarportal.com