Security posture

Built for organisations that are held to account.

Volunteer emergency services answer to funders, inspectors and the public. Standby is built so the answers are already in one place — access controlled, changes logged, data where it should be.

Role-based access

Membership roles scope every view and action, enforced at the API by per-tenant policies — not just hidden in the UI. An officer sees their unit, a sector manager their sector, a national manager every unit.

Multi-factor sign-in

TOTP two-factor with recovery codes, on top of OIDC single sign-on with an email fallback. Volunteers enrol themselves from the account screen.

Immutable audit trail

Every state change and record view is logged with actor and timestamp, viewable in the console audit log. Nothing is edited away.

Tenant isolation

Each organisation is a separate tenant. Cross-tenant isolation is proven at both the query and the request layer — data never crosses between organisations.

EEA hosting, encrypted

Tenant data is hosted in the EEA and encrypted at rest, aligned to ISO 27001 controls.

GDPR data-subject rights

Consent history, data export and account erasure are self-service for every user — the data-subject rights GDPR requires, built into the product.

Questions

Trust & compliance, answered

Where is our data hosted?

In the EEA, encrypted at rest, aligned to ISO 27001 controls. Each organisation's data is isolated in its own tenant.

How is access controlled?

Role-based access is enforced at the API by per-tenant policies, not merely hidden in the interface. Sign-in adds TOTP multi-factor on top of OIDC single sign-on.

Can we get our data out?

Yes. Reports export to CSV in one click, and GDPR data export is self-service per user. Your data is yours.

Is there an audit trail?

Every state change and record view is written to an immutable audit log with actor and timestamp, viewable in the console.

Read the cookie policy →

Bring your compliance questions.

We'll walk your team through access control, hosting and audit on a 30-minute call.

Request a demo