Security and Trust

Last Updated: January 21, 2026
Version: 2.1

1. Security Posture

Encryption in transit (TLS 1.3) and at rest (AES-256 via providers). Encrypted backups with separate keys; 90-day backup window for disaster recovery.
Role-based access control; MFA enforced for administrators; least-privilege service keys; access logged and reviewed.
WAF/DDoS protections at the edge; logging and monitoring for anomalies; secure secret storage.
Zero-retention for uploads: extract required numeric values, delete originals immediately; staff cannot access raw uploads.
Hosted on AWS infrastructure with SOC 2 Type II and ISO 27001 attestations (via provider). Stripe PCI-DSS Level 1 for payments.

2. Vulnerability Management

Regular dependency updates and security patching cadence.
Periodic penetration testing and automated vulnerability scanning.
Least-privilege cloud roles; administrative access is audited.
Secure SDLC practices and change management.

3. Incident Response

We operate a 72-hour breach notification commitment for personal data incidents: assess, contain, notify regulators when required, and inform affected users without undue delay with mitigation steps. Contact security@settel.io to report issues. Incidents are logged with lessons learned and remediation tracking.

4. Document Handling

Uploaded documents are transmitted via TLS, parsed for required values, and deleted immediately. Only extracted values are retained (encrypted at rest). We cannot access the original documents once deleted.

5. Compliance Notes

UK ICO registration: ZC039135.
GDPR/UK GDPR, CCPA/CPRA, and India DPDP alignment; consent-first tracking.
Subprocessors bound by DPAs with SCCs/UK IDTA where applicable; see the GDPR page for details.

6. Trust and Availability

Backups: encrypted, retained up to 90 days for disaster recovery.
Business continuity: cloud-hosted with regional redundancy as configured; periodic recovery drills.
Support: email-based, commercially reasonable efforts; no SLA unless agreed in writing.

7. Contact

Security: security@settel.io.
Privacy: privacy@settel.io.
Mailing address: Settel, 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.

Last Updated: January 21, 2026
Version: 2.1
Next Review: April 2026

1. Security Posture

Encryption in transit (TLS 1.3) and at rest (AES-256 via providers). Encrypted backups with separate keys; 90-day backup window for disaster recovery.

Role-based access control; MFA enforced for administrators; least-privilege service keys; access logged and reviewed.

WAF/DDoS protections at the edge; logging and monitoring for anomalies; secure secret storage.

Zero-retention for uploads: extract required numeric values, delete originals immediately; staff cannot access raw uploads.

Hosted on AWS infrastructure with SOC 2 Type II and ISO 27001 attestations (via provider). Stripe PCI-DSS Level 1 for payments.

3. Incident Response

Security & Trust

Security and Trust

1. Security Posture

2. Vulnerability Management

3. Incident Response

4. Document Handling

5. Compliance Notes

6. Trust and Availability

7. Contact

AES-256 Encryption (at rest)

TLS 1.3 (in transit)

GDPR Compliant

Extract-Only Processing

Multi-factor Authentication

24/7 Security Monitoring

Security & Trust

Security and Trust

1. Security Posture

2. Vulnerability Management

3. Incident Response

4. Document Handling

5. Compliance Notes

6. Trust and Availability

7. Contact

AES-256 Encryption (at rest)

TLS 1.3 (in transit)

GDPR Compliant

Extract-Only Processing

Multi-factor Authentication

24/7 Security Monitoring