Datumbase · Security & Compliance

Data Residency Statement

Last updated: April 2026

This statement sets out where Datumbase stores, processes, and transmits customer data. It is provided for procurement, due diligence, and contract purposes. If you have questions or require this statement in a different format, contact mbrockhurst@gmail.com.

1. Summary

All primary customer data — including CDM compliance documents, user accounts, and audit logs — is stored within the United Kingdom. Datumbase does not transfer primary customer data to countries outside the UK or EEA for storage purposes.

A small number of ancillary data flows involve processing in the EEA or USA by sub-processors operating under appropriate transfer mechanisms (UK IDTA or equivalent). These flows are described in full in Section 3.

2. Primary Data Storage

Data category	Storage location	Region	Sub-processor
CDM documents (F10, CPP, H&S File, etc.)	UK	eu-west-2 (London)	Supabase
User accounts & authentication	UK	eu-west-2 (London)	Supabase
Uploaded files & document attachments	UK	eu-west-2 (London)	Supabase Storage
Audit logs	UK	eu-west-2 (London)	Supabase
Database backups	UK	eu-west-2 (London)	Supabase
Application hosting (server-side rendering)	UK/EEA edge	Vercel edge network	Vercel

Supabase project ID: adhujidzghwpzlugixsw. Region confirmed as eu-west-2 (London) at project creation and verified in the Supabase dashboard.

3. Sub-Processors and Ancillary Data Flows

The following sub-processors may process data as part of delivering the service. Where data flows outside the UK, the applicable transfer mechanism is identified.

Sub-processor	Purpose	Location	Transfer mechanism
Supabase Inc.	Database, auth, file storage	UK (eu-west-2)	Data stored in UK — no transfer
Vercel Inc.	Application hosting & CDN	USA / global edge	UK IDTA (Standard Contractual Clauses equivalent)
Resend Inc.	Transactional email delivery	USA	UK IDTA
Anthropic PBC	AI-assisted document extraction (optional feature)	USA	UK IDTA — data minimised; no retention by Anthropic

Note on Anthropic:AI-assisted document extraction is an optional feature. When used, document text is transmitted to Anthropic's API for processing. Anthropic operates under a zero data retention policy for API requests — data is not stored or used for model training. Customers can disable this feature entirely by not using the AI extraction function.

4. UK Data Sovereignty

Datumbase is incorporated and operated in England and Wales. The following measures support UK data sovereignty commitments:

Primary database in UK: All customer data at rest is held in Supabase's eu-west-2 (London) region, within UK jurisdiction.
Supabase DPA signed: A UK GDPR-compliant Data Processing Agreement is in place with Supabase Inc. (signed April 2026).
Vercel DPA in place: Vercel's DPA covers international transfers under the UK IDTA framework.
No US-based primary storage: Datumbase does not use AWS, Azure, or Google Cloud regions outside the UK for primary data storage.
Right to erasure: Customer data can be deleted on request, including all backup copies within Supabase's standard backup cycle (typically 7 days for full deletion from backup).

5. Public Sector Procurement Note

For NHS, local authority, and other public sector buyers with specific data residency requirements:

All primary data is stored within the UK (Supabase eu-west-2, London).
Datumbase meets the UK GDPR data residency requirements for public sector use.
Datumbase does not currently hold Cyber Essentials Plus or ISO 27001 certification (see our Security page for current certifications and roadmap).
For contracts with bespoke data residency clauses, contact us to discuss whether Datumbase can meet your specific requirements.

6. Contact

For data residency queries, procurement questionnaires, or to request a written confirmation letter:

Mark Brockhurst
Data Controller — Datumbase / Brockhurst Property Ltd
Email: mbrockhurst@gmail.com
Website: app.datumbase.tech

Security Privacy Notice Acceptable Use Policy Terms of Service Sign in