Policies

Last updated: 28 June 2026

Security & Trust

Calceum Limited (“Calceum”) builds software that accounting practices and their clients trust with sensitive financial and personal data. This page summarises how we protect it. We are a UK company and our platform is built UK-first.

Certifications and compliance

ItemStatus
Registered with the Information Commissioner’s Office (ZC156359)In place
UK GDPR and Data Protection Act 2018Compliant
Cyber EssentialsWorking towards
ISO/IEC 27001 alignmentPlanned; our controls are designed in line with it

We are deliberately clear about what we hold today versus what is on our roadmap. We will update this page as we achieve new certifications, and we will never imply a certification we do not hold.

Data protection and residency

  • UK data residency. Customer data is hosted in the United Kingdom (AWS London region, eu-west-2).
  • Encryption. Data is encrypted in transit (TLS 1.2 or above) and at rest (AES-256-GCM). Particularly sensitive identifiers, such as National Insurance numbers, UTRs, and HMRC credentials, are additionally encrypted at the application level.
  • Access control. Access follows least-privilege principles with role-based controls and multi-factor authentication on production systems.

Resilience and operations

  • Backups. Automated, encrypted backups with documented recovery procedures.
  • Monitoring. Application performance monitoring, logging, and alerting (configured to avoid capturing personal data).
  • Incident response. A defined incident-response process, including breach notification to the ICO and affected customers where required.
  • Secure development. A secure-development lifecycle with dependency and vulnerability management and change control.

Open banking

Account-information and payment-initiation features are provided through [ ], which is authorised and regulated by the Financial Conduct Authority (FRN [ ]). Calceum acts as its agent. Payments are authorised by the account holder with strong customer authentication at their own bank, and move directly bank-to-bank; Calceum does not hold customer funds.

Identity verification

Where identity verification is used, it is performed by a specialist provider certified to recognised standards (including SOC 2, ISO/IEC 27001, and independent presentation-attack-detection testing). Biometric checks are handled as special-category data under strict data-protection controls, with raw biometric samples minimised and retained no longer than necessary.

Sub-processors

The third parties we use to operate the platform are listed in our Sub-Processor List, with their purpose and location.

Reporting a vulnerability

If you believe you have found a security vulnerability, please email security@calceum.com with the details. We welcome responsible disclosure and will acknowledge your report. Please do not publicly disclose an issue before we have had a chance to address it.

More information

See our Privacy Policy for how we handle personal data, and our Sub-Processor List for the providers we rely on. Questions: hello@calceum.com.