How we look after your data.
The security, privacy, and compliance posture our partner companies and candidates can expect when working with us. Every claim on this page is backed by a documented process you can ask us to share.
At a glance
The headline status of every regulatory and security area relevant to Ventureship Ltd.
UK GDPR & Data Protection Act 2018
Compliant. Privacy notice published, lawful bases documented, records of processing maintained, retention schedule operational.
Active
ICO registration
Registered with the Information Commissioner's Office as a data controller.
Active
Companies House registration
Ventureship Ltd, England and Wales, company number 16954844, registered office Portland House, Belmont Business Park, Durham, DH1 1TW.
Active
Email authentication
SPF, DKIM, and DMARC fully configured at the domain level. Prevents spoofing of @ventureship.co.uk addresses.
Active
Vendor due diligence
Every processor we use holds SOC 2 Type II or ISO 27001 (or equivalent). Full register available on request.
Active
Breach response
Documented plan committing to ICO notification within 72 hours and individual notification where the risk is high.
Active
Two-factor authentication
Enforced on every administrator account that holds or processes user data (GitHub, Google, Microsoft 365, Formspree, Cloudflare, GoDaddy).
Active
The frameworks we work under
Ventureship operates under the following UK and European regulatory frameworks:
- UK General Data Protection Regulation (UK GDPR) — the framework governing the collection, processing, and storage of personal data of UK residents.
- Data Protection Act 2018 — UK-specific data protection legislation supplementing the UK GDPR.
- Privacy and Electronic Communications Regulations 2003 (PECR) — governs cookies, electronic marketing, and similar communications.
- Companies Act 2006 — UK company-law disclosure requirements (our registration details are shown on every page footer).
- Equality Act 2010 — ensures Ventureship's services are provided without unlawful discrimination.
- Modern Slavery Act 2015 — we take reasonable steps to ensure modern slavery does not occur in our supply chain.
- Bribery Act 2010 — we have a zero-tolerance position on bribery and corruption.
- ICO Age Appropriate Design Code — applies should any candidate sign up to our platform be under 18; we mitigate by restricting signups to applicants aged 18 and over.
Where your data lives
Personal data submitted through Ventureship is stored and processed in the following locations under the safeguards listed:
| Where | What is held | Safeguard for transfers out of the UK |
|---|---|---|
| United Kingdom & European Economic Area | Email content (Microsoft 365 EU/UK regional storage), Drive notes after discovery calls (Google Workspace UK regions) | UK adequacy regulations for EEA transfers; data otherwise held in the UK |
| United States | Form submissions (Formspree), discovery booking metadata (Cal.com), transactional email (Resend via Amazon SES), edge analytics (Cloudflare), static website hosting (Netlify, planned) | UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with UK Addendum; processors signed up to the EU-US Data Privacy Framework where applicable |
Our security practices
Authentication and access
- Two-factor authentication enforced on every administrative account (GitHub, Google Workspace, Microsoft 365, Formspree, Cloudflare, GoDaddy) using time-based one-time passcodes from an authenticator app — not SMS.
- Recovery codes for every 2FA-protected account stored in a separate secure location.
- Access to candidate and partner data restricted to active founders only; no third-party employee, contractor, or supplier sees raw submission data without an explicit business need.
- Documented offboarding process to revoke all access promptly when anyone leaves the company.
Transport and network
- HTTPS enforced site-wide via Let's Encrypt; HTTP Strict Transport Security (HSTS) deployed with a long max-age and the
includeSubDomainsdirective. - Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy security headers configured at the hosting layer.
- Email authentication: SPF authorising Microsoft 365 only, DKIM keys (Microsoft 365 and Resend), DMARC policy of
quarantinewith reporting to enquiries@ventureship.co.uk. - Domain registrar lock applied to ventureship.co.uk to prevent unauthorised transfer.
Data handling
- Data minimisation: we collect only what is necessary to deliver our service. No DOB, address, phone number, nationality, NI number, or special category data. Full audit at
legal/data-minimisation-audit.mdin our private repository. - Retention schedule: 24-month default for candidate and company data, 12 months for general enquiries, 6 years for statutory accounting records. Quarterly deletion sweep documented at
legal/retention-schedule.md. - Records of Processing Activities (UK GDPR Article 30) maintained at
legal/ropa.md. - No automated decision-making on candidate applications. Human review at every stage.
Codebase and secrets
- Source code held in a private GitHub repository. No public listing.
- No API keys, secrets, or credentials committed to the repository.
.gitignoreblocks.env, key files, certificates, design source files, and any/private/folder. - Independent automated and manual audits performed at each milestone for accidentally committed secrets.
Sub-processors we use
We use the following sub-processors, each of which is bound by a Data Processing Agreement under UK GDPR Article 28 and meets at least SOC 2 Type II or ISO 27001 standards. The full vendor-security register, including links to each processor's compliance page, is available on request.
| Processor | Purpose | Certifications |
|---|---|---|
| Formspree, Inc. | Receives form submissions | SOC 2 Type II |
| Cal.com, Inc. | Discovery call scheduling | SOC 2 Type II, ISO 27001 |
| Google (Workspace / Cloud) | Email, calendar, Meet, Drive | SOC 1/2/3, ISO 27001/27017/27018/27701, FedRAMP |
| Microsoft 365 (via GoDaddy) | Email hosting at @ventureship.co.uk | SOC 1/2/3, ISO 27001/27017/27018/27701, FedRAMP |
| Resend, Inc. | Transactional email delivery | SOC 2 Type II (with AWS SES backend) |
| Cloudflare, Inc. | Cookieless analytics & edge security (when enabled) | SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS, FedRAMP |
| Netlify, Inc. | Static website hosting (planned) | SOC 2 Type II |
| GoDaddy.com, LLC | Domain registrar & DNS | PCI DSS; ICANN accredited registrar |
Your rights and how to use them
Under UK GDPR you have the following rights over your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — ask us to correct anything inaccurate or incomplete
- Right to erasure — ask us to delete your data (subject to lawful basis exceptions)
- Right to restrict processing — limit how we use your data
- Right to data portability — get your data in a portable format
- Right to object — object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — at any time for processing based on consent
- Right not to be subject to automated decision-making — we do not use solely automated decisions about you
To exercise any of these rights, email enquiries@ventureship.co.uk with "Data request" in the subject line. We will acknowledge within three working days and respond substantively within one calendar month.
If you are not satisfied with our handling, you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint or call 0303 123 1113.
Breach response commitment
If we ever experience a personal data breach affecting your information, we will:
- Contain the breach within one hour of awareness;
- Assess severity and impact within 24 hours;
- Notify the Information Commissioner's Office within 72 hours of awareness where the breach is likely to result in a risk to your rights;
- Notify you directly without undue delay if the risk to your rights is high;
- Document every breach (notifiable or not) internally as required by UK GDPR Article 33(5).
The full plan is maintained at legal/breach-response.md internally and is shared on request.
Cookies and tracking
Our website does not currently set any tracking, advertising, or analytics cookies. The only cookies we ever use are strictly necessary — for example, remembering your preference if we ever show a cookie notice. Cloudflare Web Analytics, which we may use, is cookieless and does not track individuals across sessions. We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar, or any similar advertising or session-replay tracker.
If we ever introduce non-essential cookies, we will ask for your explicit consent before they are set and provide clear controls to manage your preferences.
Compliance documents
Public documents are linked below. Internal documents (RoPA, vendor register, breach response plan, retention schedule, data minimisation audit) are available to enterprise partners and regulators on written request.
- Privacy notice Full UK GDPR Article 13 / 14 disclosures: what data, why, how long, who else sees it, your rights.
- Terms of service The contract governing your use of the site and our services.
- Data Processing Agreement Our standard processor-side DPA template, available on request to Partner Companies.
- Sub-processor register Full list of vendors handling personal data on our behalf, with their certifications and DPA status.
- Records of Processing Activities UK GDPR Article 30 record of every data flow, purpose, processor, and retention period.
- Breach response plan Documented detect-contain-assess-notify-document workflow with 72-hour ICO commitment.
Contact
Questions, requests, complaints, or security disclosures all go to:
enquiries@ventureship.co.uk
For data-protection requests, please include "Data request" in the subject line. For suspected security vulnerabilities, please include "Security disclosure" in the subject line and we will route accordingly.