AllForProjects

Trust & Security

Last updated: 8 May 2026

AllForProjects is built for UK trades businesses. We process customer data, photos, financial records and engineer activity on their behalf. This page explains the protections we put around that data, who we share it with to deliver the service, and how to ask us a question we haven't answered here.

Data hosting

  • Application: Railway, region: Europe-West (Amsterdam)
  • Database: Railway Postgres, same region. Daily encrypted backups, 7-day retention.
  • File storage: Cloudflare R2, jurisdiction: European Union (EU). UK GDPR-friendly.
  • CDN / DDoS / WAF edge: Cloudflare

Encryption

  • In transit: TLS 1.2 minimum on every public surface (web app, mobile app, marketing site, customer portal, embedded widgets, R2 uploads). HSTS enabled.
  • At rest: AES-256 on Postgres + R2. Keys managed by the cloud provider's KMS; never exported.
  • Backups: Encrypted at rest, geographically separated.

Access control

  • Role-based access in the application (owner / staff / engineer / subcontractor / customer) with least-privilege defaults.
  • Production infrastructure (Railway, Cloudflare R2 tokens, GitHub repos) accessible only to named owner accounts with multi-factor authentication required.
  • Quarterly review of access lists. Access removed within one business day on personnel change.
  • All Railway database tokens scoped per environment (test / prod). R2 tokens scoped to the bucket.

Multi-tenant isolation

  • Every database query is scoped by tenant_id at the application layer; cross-tenant reads are not possible via the API surface.
  • R2 object keys carry the tenant id as the first path segment (<tenantId>/...) so a misdirected presigned URL cannot reach another tenant's data.
  • Embedded widgets use per-tenant public keys with an Origin allowlist, restricting which marketing-site domains can post leads to that tenant.

Logging & monitoring

  • Application audit log for owner / staff actions on financial records (quotes, invoices, payments) and security-relevant events (logins, role changes).
  • HTTP request logs at the Railway edge, retained ≥ 90 days.
  • Database health probe runs on every deploy; a missing migration fails the healthcheck and routes traffic away from the broken release.
  • Error monitoring planned for Q3 2026.

AI processing & provider controls

AllForProjects uses third-party AI services for in-app features (quote draft suggestions, photo diagnosis, lead parsing, receipt OCR, voice memo transcription) and for the public widgets that capture leads on our customers' marketing sites.

  • AI provider API calls are configured to not retain customer data for model training, in line with each provider's commercial terms.
  • Provider prompt / output retention is limited to abuse monitoring (typically 30 days, then deleted).
  • No biometric identification, facial recognition, or unique-individual matching is performed on uploaded photographs.
  • UK → US transfers (where applicable) rely on the UK Extension to the EU-US Data Privacy Framework.

Retention

  • Widget photos: 14 days by default (tenant-tunable).
  • Widget leads (unconverted): 90 days by default.
  • Email-to-lead and marketplace leads (unconverted): 90 days.
  • Converted leads: retained as part of the customer record for the duration of the customer relationship plus 7 years (HMRC / Companies Act 2006 statutory retention).
  • HTTP / audit logs: 90 days.
  • Manual right-to-erasure requests are honoured immediately via the operator UI.

Sub-processors

We use the following third-party services to deliver AllForProjects. The current list is also published as a machine-readable JSON file at /.well-known/sub-processors.json so customers can subscribe to changes programmatically.

Provider Purpose Region Transfer mechanism
RailwayApplication hosting, Postgres databaseEU (Amsterdam)— (UK adequacy)
CloudflareCDN, DDoS, WAF, Turnstile bot screen, R2 file storageEU jurisdiction— (UK adequacy)
Anthropic (Claude)AI: quote drafts, photo diagnosis, lead parsing, OCRUSUK Extension to EU-US DPF
OpenAI (Whisper)Audio transcription (voice memos, video audio)USUK Extension to EU-US DPF
ResendOutbound transactional email (notifications, send-quote, send-invoice)EU / USUK Extension to EU-US DPF
Apple App Store / Google PlayMobile app distribution (planned)USUK Extension to EU-US DPF

We give existing customers 30 days' written notice before adding or replacing a sub-processor. Customers may object during that window; if the objection cannot be resolved, the customer may terminate the affected service without penalty.

Incident response

  • We will notify affected customers of a personal data breach within 24 hours of becoming aware, alongside any regulator notification we make.
  • Documented incident response runbook for severity classification, communications and remediation.
  • Annual tabletop exercise planned starting Q3 2026.

Compliance & certifications

  • UK GDPR & Data Protection Act 2018: compliant. ICO registration in progress.
  • SOC 2 Type II: not held; on the 12-18 month roadmap.
  • ISO 27001: not held.
  • For Article 28 contracts, see the Data Processing Agreement. Customers can request a counter-signed copy via privacy@allforprojects.com.

Reporting a security issue

If you've found a vulnerability, please email security@allforprojects.com. We aim to respond within 24 hours during UK business days.

Questions about this page

Email privacy@allforprojects.com. We answer customer compliance questions within 5 business days.