Security, with dates instead of adjectives.
Every vendor says “enterprise-grade security”. This page says what we actually do, what's certified, what isn't yet, and when it will be — so your security review can check claims, not vibes.
How the platform is built
Your own database, not rows in a shared one
Each customer's business data (HR, Finance) lives in its own isolated database, provisioned per tenant. A query for your tenant physically cannot return another company's rows.
Serverless edge, nothing to forget to patch
Blankitt runs on Cloudflare's edge network — no fleet of VMs, no unpatched servers, no SSH keys lying around. The attack surface a traditional stack accumulates simply isn't there.
Encrypted in transit and at rest
TLS 1.2+ on every connection; data encrypted at rest on Cloudflare's storage layer. There is no plain-HTTP path to any Blankitt service.
Modern authentication
RS256-signed JWTs with published JWKS key rotation, TOTP multi-factor authentication, and SAML 2.0 / OIDC single sign-on — SSO is included on paid tiers, never an enterprise upsell.
Least privilege by role
Role-based access control across every product, with read-scoping so people see only what their role allows — and an audit log recording who changed what, when.
Provisioning and integrations, done properly
SCIM 2.0 user provisioning from your identity provider. Outbound webhooks are HMAC-SHA256 signed with replay-window timestamps. API keys are stored as SHA-256 hashes and shown exactly once.
Certification roadmap
We publish this because a roadmap with dates is checkable — and because pretending a pre-launch company already holds every badge would tell you something worse about us than the missing badges do.
| Standard | Status | Detail |
|---|---|---|
| UK GDPR compliance | In place | DPA available to business customers, published sub-processor list, data export and deletion on request. |
| Cyber Essentials + Cyber Essentials Plus | In progress — target Q3 2026 | IASME-certified assessment of our controls, including the technical audit for Plus. |
| ISO 27001:2022 | Target Q1 2027 | Full ISMS certification with a UKAS-accredited auditor. The evidence programme is underway now. |
| ISO 27017 + ISO 27018 | Following 27001 — 2027 | Cloud-security and cloud-PII extensions, added to the 27001 audit cycle. 27018 matters especially for HR data. |
| SOC 2 Type II | Planned on customer demand | Most buyers accept ISO 27001 as an equivalent for a UK vendor. We'll run SOC 2 when a customer genuinely requires it, mapped from the ISO evidence base. |
Certificates will be published on this page as they are issued. Roadmap last updated 5 July 2026.
Day-to-day discipline
- Every production deploy is gated by an automated test suite (1,000+ tests on HR alone) — a failing suite blocks the release.
- Secret scanning runs on every commit; secrets live in the platform's encrypted store, never in code.
- Post-deploy health checks verify the authentication path end-to-end after every release, with immediate rollback if they fail.
- Public products that accept input are protected by Turnstile bot detection and rate limiting.
Your data, your rights
UK GDPR applies to everything we do. Export and deletion on request, a DPA for business customers, and a published list of every third party we use.
Found something?
If you believe you've found a vulnerability in any Blankitt product, tell us directly. Reports go straight to the founder — the escalation chain is one person long.
Report a security concern