Security, with dates instead of adjectives.

Every vendor says “enterprise-grade security”. This page says what we actually do, what's certified, what isn't yet, and when it will be — so your security review can check claims, not vibes.

How the platform is built

Your own database, not rows in a shared one

Each customer's business data (HR, Finance) lives in its own isolated database, provisioned per tenant. A query for your tenant physically cannot return another company's rows.

Serverless edge, nothing to forget to patch

Blankitt runs on Cloudflare's edge network — no fleet of VMs, no unpatched servers, no SSH keys lying around. The attack surface a traditional stack accumulates simply isn't there.

Encrypted in transit and at rest

TLS 1.2+ on every connection; data encrypted at rest on Cloudflare's storage layer. There is no plain-HTTP path to any Blankitt service.

Modern authentication

RS256-signed JWTs with published JWKS key rotation, TOTP multi-factor authentication, and SAML 2.0 / OIDC single sign-on — SSO is included on paid tiers, never an enterprise upsell.

Least privilege by role

Role-based access control across every product, with read-scoping so people see only what their role allows — and an audit log recording who changed what, when.

Provisioning and integrations, done properly

SCIM 2.0 user provisioning from your identity provider. Outbound webhooks are HMAC-SHA256 signed with replay-window timestamps. API keys are stored as SHA-256 hashes and shown exactly once.

Certification roadmap

We publish this because a roadmap with dates is checkable — and because pretending a pre-launch company already holds every badge would tell you something worse about us than the missing badges do.

StandardStatusDetail
UK GDPR complianceIn placeDPA available to business customers, published sub-processor list, data export and deletion on request.
Cyber Essentials + Cyber Essentials PlusIn progress — target Q3 2026IASME-certified assessment of our controls, including the technical audit for Plus.
ISO 27001:2022Target Q1 2027Full ISMS certification with a UKAS-accredited auditor. The evidence programme is underway now.
ISO 27017 + ISO 27018Following 27001 — 2027Cloud-security and cloud-PII extensions, added to the 27001 audit cycle. 27018 matters especially for HR data.
SOC 2 Type IIPlanned on customer demandMost buyers accept ISO 27001 as an equivalent for a UK vendor. We'll run SOC 2 when a customer genuinely requires it, mapped from the ISO evidence base.

Certificates will be published on this page as they are issued. Roadmap last updated 5 July 2026.

Day-to-day discipline

  • Every production deploy is gated by an automated test suite (1,000+ tests on HR alone) — a failing suite blocks the release.
  • Secret scanning runs on every commit; secrets live in the platform's encrypted store, never in code.
  • Post-deploy health checks verify the authentication path end-to-end after every release, with immediate rollback if they fail.
  • Public products that accept input are protected by Turnstile bot detection and rate limiting.

Your data, your rights

UK GDPR applies to everything we do. Export and deletion on request, a DPA for business customers, and a published list of every third party we use.

Found something?

If you believe you've found a vulnerability in any Blankitt product, tell us directly. Reports go straight to the founder — the escalation chain is one person long.

Report a security concern