Security
Security built into how Ubrix works.
Housebuilders and contractors trust Ubrix with operationally sensitive data including customer details, site activity and contractor coordination. The platform is built on modern cloud infrastructure with security practices aligned to how the team actually operates day to day.
Certifications and alignments
Standards we hold and align to
Cyber Essentials certified
Ubrix holds current Cyber Essentials certification, covering the five core technical controls that protect against the most common internet-based threats.
Certificate number 726311be-0ee0-4009-a404-1d5ae226dcc1
UK GDPR aligned
Ubrix operates in alignment with the UK GDPR and the Data Protection Act 2018. Personal data is processed lawfully, fairly and transparently.
ICO registration on file
Hosted in the UK
Ubrix runs on Microsoft Azure with UK region hosting by default, so customer data stays within the UK unless explicitly agreed otherwise.
Fully insured
Ubrix carries Professional Indemnity, Cyber Liability and Technology Errors and Omissions cover at one million pounds each through CFC Underwriting.
Certificates available on request
Operational security
How we protect your data
Security is not a bolt-on at Ubrix but a set of engineering and operational practices that run through how the platform is built, deployed and maintained every day.
Encryption in transit and at rest
All data moving between the user and Ubrix is encrypted using TLS. Data at rest in Azure is encrypted using industry-standard AES-256 encryption.
Role-based access control
Every user sees only the data relevant to their role inside their organisation, with permissions controlled at the account, project and record level.
Single-tenant logical separation
Each customer's data is logically separated with tenant-aware queries on every read and write, so one customer's data cannot be returned to another customer by design.
Modern authentication
Ubrix uses Auth0 for identity, with support for multi-factor authentication and single sign-on available to enterprise accounts.
Continuous monitoring
The platform is monitored continuously for availability, performance and unusual access patterns, with alerting to the engineering team outside working hours.
Regular patching
Application dependencies and underlying infrastructure are kept current, with security patches applied on a rolling basis rather than on a delayed cycle.
Backups and disaster recovery
Customer data is backed up continuously with point-in-time restore available. Backup restoration is tested on a regular cadence.
Least-privilege access for staff
Access to customer data by the Ubrix team is restricted to what is strictly required for support, and all such access is logged.
Data handling and privacy
Your data, handled properly
Where your data lives
Customer data is stored in Microsoft Azure UK South region by default. Data is not transferred outside the UK without explicit customer agreement, and sub-processor relationships are documented and available on request.
Who can see your data
Customer data is visible only to users within the customer's own organisation and to a small number of Ubrix staff who may need short, scoped access for support. All staff access is logged. Ubrix does not sell, share or use customer data for any purpose outside the delivery of the service.
How long we keep it
Customer data is retained for the duration of the customer's contract and for a defined period afterwards as set out in the service agreement. Customers can request export or deletion of their data in line with their contractual rights and their rights under the UK GDPR.
What you can request
Customers and their end users can request access to the personal data Ubrix holds about them, request correction of inaccurate data, request deletion subject to legal and contractual obligations, and raise concerns directly with the team. Full details are in our Privacy Policy.
Responsible disclosure
Found a security issue?
The Ubrix team takes security reports seriously and encourages responsible disclosure. Anyone who believes they have identified a security vulnerability in the platform can reach the team directly.
Security reports
security@ubrix.co.ukFAQ
Common security questions
Is Ubrix SOC 2 or ISO 27001 certified?
Ubrix is not currently certified against SOC 2 or ISO 27001, but operates many of the same underlying controls as part of its Cyber Essentials certification and day-to-day practices. Formal certification against one or both standards is on the roadmap as the business scales.
Can you complete our security questionnaire?
The Ubrix team is happy to complete standard customer security questionnaires as part of a procurement process, and typically responds within five working days.
Do you support single sign-on?
Single sign-on via SAML or OIDC is available on the enterprise tier and can be configured against your existing identity provider.
Can we see a penetration test report?
Penetration testing is conducted on a regular cadence, and summary reports are available under NDA to customers evaluating the platform at scale.
Where can I find your Data Processing Addendum?
The standard Ubrix Data Processing Addendum is available on request and is signed as part of the contracting process for customers who require one.
Need more detail for your procurement process?
The team is happy to answer questions, complete questionnaires and share documentation under NDA.