DATA GOVERNANCE & COMPLIANCE

Your data stays yours.

Ring-fenced data architecture. Role-based access controls. Full audit trail. Built for institutional compliance requirements from day one.

Role-Based Data Isolation

The platform serves three distinct roles — Lenders, Investment, and Solicitors. Each operates within a fully ring-fenced environment with dedicated database tables, separate API modules, and JWT-enforced access controls. A lender's loan book, borrower data, and payment records are never accessible to any other role. This separation is enforced at the API layer — not the frontend — meaning it cannot be bypassed.

Lender Data Protection

Data Category	Lender	Investment	Solicitor	Note
Lender data (loan book, payment records, borrower information)	✓	✕	✕	Only visible to that specific lender
Cross-lender payment signals	✓	✕	✕	Anonymised, visible to lenders only
Investment data (targets, deals, bids)	✕	✓	✕	Only visible to that specific investor
Solicitor data (matters, searches)	✕	✕	✓	Only visible to that specific solicitor

Investment Data Sources — Public Only

Investment users on the platform analyse acquisition targets using exclusively public and self-sourced data: Companies House (public record), Experian (licensed commercial data available to any subscriber), HM Land Registry (public), Insolvency Service records (public), and agent marketing materials provided directly through the transaction process. No lender-contributed data — including borrower information, loan book data, or payment behaviour — is accessible to investment accounts.

Cross-Lender Intelligence — Lender Exclusive

The cross-lender payment alert system is a lender-only feature. When a borrower entity appears across multiple lender accounts and shows late payments at one institution, anonymised alerts are generated for other lenders with exposure. No lender identity is disclosed — the alert indicates a payment delay has been detected, not which lender reported it. This feature is exclusively available to lender accounts. Investment and solicitor accounts have no access to cross-lender data at any level.

Access Controls & Audit Trail

Every account is assigned an immutable role at registration, encoded in signed JWT tokens and verified on every API request. Every database query is scoped to the authenticated user's account — there is no “view all” capability. All operations are logged in dedicated per-role activity log tables with user ID, action type, entity references, and timestamps.

Data Protection Compliance

UK GDPR and Data Protection Act 2018 compliance. Lawful basis: legitimate interest (B2B commercial data) and contract performance. Data minimisation: each role accesses only the data necessary for its function. Purpose limitation: lender data is never repurposed for other roles. Companies House data is Crown Copyright under the Open Government Licence. Experian data is licensed B2B data, independent of any lender relationship.

Summary of Controls

Role assignment→Immutable account_type in JWT

API enforcement→Dedicated module per role with role guard

Database isolation→Separate tables per role

Row-level security→Every query scoped to user ID

Cross-lender data→Lender-only; other roles have zero access

Lender loan book→Never exposed to non-lender roles

Audit trail→Per-role activity logs

Built for compliance. Ready for review.

Request a full technical walkthrough with your compliance team.