Policies
Last updated: 28 June 2026
Security & Trust
Calceum Limited (“Calceum”) builds software that accounting practices and their clients trust with sensitive financial and personal data. This page summarises how we protect it. We are a UK company and our platform is built UK-first.
Certifications and compliance
| Item | Status |
|---|---|
| Registered with the Information Commissioner’s Office (ZC156359) | In place |
| UK GDPR and Data Protection Act 2018 | Compliant |
| Cyber Essentials | Working towards |
| ISO/IEC 27001 alignment | Planned; our controls are designed in line with it |
We are deliberately clear about what we hold today versus what is on our roadmap. We will update this page as we achieve new certifications, and we will never imply a certification we do not hold.
Data protection and residency
- UK data residency. Customer data is hosted in the United Kingdom (AWS London region, eu-west-2).
- Encryption. Data is encrypted in transit (TLS 1.2 or above) and at rest (AES-256-GCM). Particularly sensitive identifiers, such as National Insurance numbers, UTRs, and HMRC credentials, are additionally encrypted at the application level.
- Access control. Access follows least-privilege principles with role-based controls and multi-factor authentication on production systems.
Resilience and operations
- Backups. Automated, encrypted backups with documented recovery procedures.
- Monitoring. Application performance monitoring, logging, and alerting (configured to avoid capturing personal data).
- Incident response. A defined incident-response process, including breach notification to the ICO and affected customers where required.
- Secure development. A secure-development lifecycle with dependency and vulnerability management and change control.
Open banking
Account-information and payment-initiation features are provided through [ ], which is authorised and regulated by the Financial Conduct Authority (FRN [ ]). Calceum acts as its agent. Payments are authorised by the account holder with strong customer authentication at their own bank, and move directly bank-to-bank; Calceum does not hold customer funds.
Identity verification
Where identity verification is used, it is performed by a specialist provider certified to recognised standards (including SOC 2, ISO/IEC 27001, and independent presentation-attack-detection testing). Biometric checks are handled as special-category data under strict data-protection controls, with raw biometric samples minimised and retained no longer than necessary.
Sub-processors
The third parties we use to operate the platform are listed in our Sub-Processor List, with their purpose and location.
Reporting a vulnerability
If you believe you have found a security vulnerability, please email security@calceum.com with the details. We welcome responsible disclosure and will acknowledge your report. Please do not publicly disclose an issue before we have had a chance to address it.
More information
See our Privacy Policy for how we handle personal data, and our Sub-Processor List for the providers we rely on. Questions: hello@calceum.com.