Trust & Security Centre

Your data is safe
with bigECOs

Echo is built on enterprise-grade infrastructure. This page explains how we protect your data, what standards our infrastructure meets, and how we handle your rights as a data subject.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
London
Primary data residency
72h
Breach notification
Certifications Security Compliance Your Data Sub-processors FAQ Contact
Standards & Certifications

Built on certified infrastructure

bigECOs does not yet hold independent ISO 27001 certification — we are transparent about this. Our infrastructure providers hold certifications trusted by the world's largest organisations, and your data is stored and processed entirely within that certified environment.

ISO 27001
via Google Cloud
Infrastructure certified
ISO 27017
Cloud security — via Google Cloud
Infrastructure certified
ISO 27018
Cloud privacy — via Google Cloud
Infrastructure certified
SOC 2 Type II
via Google Cloud & Vercel
Infrastructure certified
SOC 1 & SOC 3
via Google Cloud
Infrastructure certified
ISO 27001 (own)
bigECOs direct certification
Planned 2027
Security

How we protect your data

Security is designed into every layer of Echo, from how you authenticate to how your customers' data is stored and accessed.

Encryption at rest and in transit
All data is encrypted using AES-256 at rest by Google Cloud. All communications use TLS 1.3. No data is ever stored or transmitted unencrypted.
Passwordless authentication
Echo uses one-time login codes sent to your verified email. No passwords are stored. Session tokens expire after 8 hours and are never written to persistent browser storage.
UK data residency
Customer data is stored in Google Cloud region europe-west2 (London, UK). Data does not leave this region except for specific processing described in our sub-processor register.
Role-based access controls
Pro and Enterprise accounts support Admin and Member roles. All access is strictly scoped to your organisation's data. No user can access another organisation's data.
Infrastructure monitoring
Google Cloud and Vercel provide continuous security monitoring and anomalous access detection. Service account credentials are stored as server-side environment variables, never in application code.
Backup and recovery
Firestore provides automated daily backups with point-in-time recovery. All backup data is stored within the same UK geographic region.
Your Data

Where your data goes and why

Exactly what data Echo processes, where it travels, and what controls you have.

1
You add customers
Customer data is stored encrypted in Google Cloud Firestore (London). It never leaves this store except during a Match search.
Stored in UKAES-256
2
You run a Match
Prospect page text and anonymised customer descriptions are sent to Voyage AI to semantically rank your references, then to Anthropic's API to generate scored match results and talking points. Neither provider uses this data for model training.
TLS 1.3No model training
3
Deep Connections runs
For Pro/Enterprise accounts, company names are queried against official public company registers (UK, US, EU, AU). No personal data is transmitted to these registers.
Official public records
4
Results returned
Match results are returned to your browser over TLS. Results are not persisted server-side. They are displayed in session memory only.
TLS 1.3Not stored
5
Account closure
Customer data is available to export for 30 days after closure. After this it is permanently deleted. Authentication records are deleted within 90 days.
30-day export
Your data subject rights — Under UK GDPR you have the right to access, correct, delete or export your personal data at any time. To exercise any right contact [email protected]. You may also lodge a complaint with the ICO at ico.org.uk.
Compliance

Regulatory compliance

How bigECOs meets its obligations under UK data protection law and other applicable regulations.

UK GDPR & Data Protection Act 2018
bigECOs operates as a data processor when handling Enterprise customer data. We provide a Data Processing Agreement (DPA) for all Enterprise accounts. Our Privacy Policy is available at bigecos.com/privacy.
International transfers
Where Personal Data is transferred outside the UK we rely on the UK IDTA or UK-US Data Privacy Framework where applicable. All sub-processors are contractually bound to equivalent data protection standards.
AI transparency
Echo uses Anthropic's Claude AI to generate results and Voyage AI embeddings to semantically rank customer references. AI outputs are informational only. Neither Anthropic nor Voyage AI use submitted data for model training. Echo does not make automated decisions with legal effect.
Breach notification
In the event of a Personal Data Breach we will notify affected Enterprise customers within 72 hours of becoming aware, in accordance with UK GDPR. We will provide breach details and remediation steps taken.
Data Processing Agreements
A DPA is available for Enterprise customers and any organisation that requires one for procurement. Contact us at [email protected] to request our DPA.
Cookie policy
We use only essential cookies required to operate the service — session authentication tokens only. No tracking, advertising or analytics cookies. No third-party advertising networks have access to your activity.
Sub-processors

Third-party providers

All sub-processors are contractually bound to data protection standards equivalent to those in our DPA. We will provide 30 days' prior notice of any changes.

ProviderLocationTransfer basisProcessing activity
Google LLC
Firebase / Cloud Firestore
USA
Data stored: europe-west2, London
UK-US Data Privacy FrameworkDatabase hosting; user authentication; session management; customer data storage
Vercel Inc.USA
Compute: nearest region
UK IDTA / SCCsApplication hosting; serverless API execution; CDN delivery
Anthropic PBCUSAUK IDTA / SCCsAI processing of prospect URLs and anonymised customer reference data to generate match scores and talking points. API terms confirm no model training on submitted data. 30-day data retention.
Voyage AI Inc.USAUK IDTA / SCCsSemantic embedding of prospect page text and anonymised customer company descriptions to rank reference relevance. No personal data transmitted. Embeddings are ephemeral and not retained.
Resend Inc.USAUK IDTA / SCCsTransactional email: login codes, welcome emails, team invitations
Stripe Inc.USAUK IDTA / SCCsPayment processing for Pro and Enterprise subscriptions. Stripe does not receive customer reference or prospect data.
Public Company Registers
UK, US, EU & Australian authorities
UK / US / EU / AUDomestic registers — no personal data transferOfficial public company register lookups for Deep Connections (UK, US, EU, AU). Only company names queried. No personal data transmitted.

We will provide at least 30 days' prior written notice of any changes to this list. Enterprise customers may object within 14 days of notification.

FAQ

Security & compliance questions

bigECOs does not currently hold its own ISO 27001 certification and we are transparent about this. Our infrastructure providers — Google Cloud and Vercel — both hold ISO 27001 certification, and your data is stored and processed within that certified infrastructure. We plan to pursue our own certification as the business scales, with a target of 2027.
No. Anthropic's enterprise API terms explicitly confirm that data submitted via the API is not used for model training. Your customer data and prospect URLs are processed ephemerally to generate your results and are not retained by Anthropic beyond their standard 30-day data retention policy.
Your customer data is stored in Google Cloud region europe-west2 (London, United Kingdom). Processing for AI match generation requires transmission to Anthropic's US-based API, which is covered by appropriate UK international transfer safeguards including the UK IDTA.
Yes. A DPA is included as standard with all Enterprise accounts and is available on request for any organisation that requires one for procurement compliance. Email [email protected] to request our DPA.
Your customer data remains available for export for 30 days after account closure. After this period it is permanently deleted from our systems. User authentication records are deleted within 90 days. We can provide written confirmation of deletion on request.
Each account's data is strictly isolated in Firestore using security rules that enforce organisation-level data segregation. bigECOs staff access to customer data requires multi-factor authentication and is restricted on a strict need-to-know basis. No customer can access another customer's data.
Enterprise customers may request security audits under the terms of our DPA, with a minimum of 30 days' notice. We can also provide documentation of our security controls to support your own assessment process. Contact us to discuss your requirements.
Contact

Security questions?

If you have a security concern, a procurement question or would like to request our DPA, contact us directly. We aim to respond to all security enquiries within one business day.

Email us Terms Privacy
Security contact
Response within 1 business day
Legal entity
Solid Contracts Ltd (trading as bigECOs)
Registered in England & Wales · No. 06601172
bigECOs® TM No. UK00003470850
Supervisory authority
Information Commissioner's Office
ico.org.uk · 0303 123 1113