Data Security & Storage
We understand that your data is one of your most valuable assets. At Service Geeni, we’re committed to keeping it safe, secure, and always available when you need it. This article outlines where your data is stored, how it’s protected, and what measures we take to back it up and ensure business continuity.
Where is Your Data Stored?
Hosting Provider: Our platform is hosted on Microsoft Azure, a cloud provider that meets internationally recognised compliance standards, including:
ISO 27001, 27018
SOC 1, SOC 2, SOC3
GDPR
Data Residency: All customer data is stored in their North Europe data centre, with backups in their West Europe location. We do not move or replicate your data outside of these regions without your explicit consent or a lawful basis to do so.
Infrastructure Redundancy: Azure’s geographically separate data centres provide high availability and resilience against failure, helping to ensure minimal disruption even in extreme scenarios.
Where is Your Data Processed?
All of our data services are hosted in the same Azure Regions
Emails are sent via our third party email service, SendGrid, you can read about their security policies here: https://sendgrid.com/en-us/policies/security.
Who Has Access to Your Data?
Internal Access is Restricted: Only a limited number of authorised personnel have access to customer data — typically members of our support and infrastructure teams, and only when required to resolve specific issues.
Principle of Least Privilege: We follow the principle of least privilege and only give access to resources our staff need to be effective in their role.
Audit Trails & Monitoring: Every access to credentials is logged, timestamped, and includes the user ID.
Logs are stored securely, immutable and reviewed periodically as part of our internal security auditing.
Data Security Measures
We apply multiple layers of security controls to protect your data from unauthorised access or loss:
Encryption
In Transit: All data is encrypted via TLS 1.2 or higher.
At Rest: All data stored in our databases and backups is encrypted using AES-256.
Authentication & Access Control
Role-based access control (RBAC) is enforced across the platform.
Support for secure passwords and optional multi-factor authentication (MFA).
Vulnerability & Threat Management
Regular automated vulnerability scans.
Periodic third-party penetration testing.
Ongoing threat monitoring and incident response.
Backups
Your Data is stored across two Azure products:
Azure SQL - Main Transactions are held in Azure SQL
Backup Frequency: We perform automated encrypted backups of your data multiple times per day; a transaction log backup every 10 to 15 minutes, a differential backup every 12 hours and a full backup weekly.
Backup Retention: Backups are retained on a rolling 35-day cycle, allowing for recovery from a wide range of scenarios.
Testing: Backup recovery processes are tested regularly to ensure data can be restored when needed.
Azure Blob Storage - Uploads and attachments (for example, PDFs and Pictures) are held in Azure Blob storage.
The service keeps at least 6 copies of each file across multiple geographies and offers 99.99999999999999% (16 nines) durability.
Disaster Recovery & Failover
RTO (Recovery Time Objective): under 4 hours
This refers to the target time for restoring access to your system after a major disruption (such as a server issue or outage).
RPO (Recovery Point Objective): under 1 hour
This refers to how much recent data could be lost in a worst-case scenario.
Our target in a disaster is to get you back up and running within 4 hours with a maximum of 1 hour of data loss.
For example, if your service went offline at 10:00, we would aim to get the system back to how it was at 09:00 by 14:00 the same day. These recovery targets ensure we can restore service quickly and with minimal data loss in the event of a major incident.
Backup Location: All backups are stored in the same geographic region mentioned above to comply with data residency requirements.
Compliance & Data Rights
GDPR / UK GDPR Compliant: We follow the principles of data minimisation, purpose limitation, and user control.
Cyber Essentials: We hold are compliant with Cyber Essentials