Where we are today
Wattcue is pre-launch. This page describes our current security posture honestly: what is already in place, what is in progress, and what we commit to before taking on pilot data.
We would rather be candid with delivery partners now than make claims that have to be walked back during procurement. Nothing on this page is aspirational marketing language.
Data minimisation
Our first control is not collecting data we don't need. The marketing site collects no household data. Pilot engagements operate under a separate data processing agreement and only process the minimum dataset needed for consented follow-through, casework, reminders, evidence, and reporting.
- No household data is collected on wattcue.com
- Pilot engagements use programme-level data under written agreements
- Sensitive categories of data are avoided unless a partner specifically requires them and a DPIA has been completed
Tenant separation
Partner tenants are logically isolated from one another at the application and data layers. No partner can see another partner's data. We treat tenant separation as a safeguarding control as well as a commercial one: cohort membership can itself be sensitive.
Encryption
All traffic to wattcue.com and to production Wattcue systems runs over TLS. Production data at rest is encrypted using provider-managed keys with documented key rotation. Backups are encrypted and access-controlled.
- TLS 1.2 or higher in transit, with HSTS
- AES-256 encryption at rest for production data stores
- Encrypted, access-controlled backups
Access control
Team access to Wattcue systems follows least privilege. Administrative access requires multi-factor authentication. Access is reviewed on a schedule and on every team change.
- Least-privilege role-based access control
- Multi-factor authentication required for administrative access
- Access reviews on joiner, leaver, mover, and on a scheduled cadence
- Audit logging of administrative actions
Subprocessors
We keep our subprocessor list short on purpose. Partners can request the current list before contract and will be notified in advance of any material change. UK and EEA processors are preferred; where a processor is located elsewhere, we rely on UK and EU approved transfer safeguards.
Vulnerability disclosure
If you believe you have found a security vulnerability in a Wattcue system, please report it to security@wattcue.com. We will acknowledge within two working days and work with you to validate and remediate.
We ask researchers to avoid privacy-impacting testing, service disruption, and accessing accounts or data that are not their own. Good-faith reports that respect these boundaries will never result in legal action from us.
Governance and certifications
Our governance roadmap is calibrated to the public-sector and third-sector delivery partners we serve.
- Cyber Essentials: certification in progress ahead of first pilot
- ISO 27001 alignment: controls mapped; certification timed with commercial growth
- Data Protection Impact Assessments available to partners on request
- Record of Processing Activities maintained under UK GDPR Article 30
Incident response
We operate a documented incident response process covering detection, containment, communication, and post-incident review. Where partner contracts require it, we commit to notification within a specified window of confirmation; typical commitments are 24 to 72 hours depending on severity and regulatory obligations.
Independent testing
Independent penetration testing of the platform is scheduled ahead of the first production pilot. A summary report can be shared with partners under mutual non-disclosure.