Compliance & Security

Security You Can Put in Front of Procurement

Read-only IAM access, no data exfiltration, UK GDPR compliance, and a signed DPA available within 24 hours.

🔑 Read-Only IAM
🇬🇧 UK GDPR Compliant
📂 DPA Available
🏭 EU Data Residency
🔒 No Data Exfiltration
🔑

Read-Only AWS IAM Access

PGFlare uses a cross-account IAM role with the minimum permissions required to perform the analysis. No write permissions. No access to your application data.

Permission Allowed Purpose
rds:DescribeDBInstances Yes Read instance class, engine version, parameter group, storage config
cloudwatch:GetMetricData Yes Read CPU, IOPS, connections, latency metrics from CloudWatch
cloudwatch:GetMetricStatistics Yes Read historical metric data for trend analysis
rds:DescribeDBLogFiles Yes Enumerate slow query log files (not downloaded unless authorised)
rds:DescribeDBParameters Yes Read parameter group settings (autovacuum, work_mem, max_connections)
rds:ModifyDBInstance Never We never modify your database or instance configuration
rds:CreateDBSnapshot Never No snapshots or backups are created
s3:GetObject / PutObject Never No access to your S3 buckets

The complete IAM policy JSON is shown in the IAM setup guide. You can revoke the role immediately after the engagement concludes.

🇺🏴

UK GDPR Compliance

PGFlare acts as a data processor under UK GDPR and the Data Protection Act 2018. We process only the minimum data required to perform the analysis.

Data we process

RDS metadata (instance class, parameter groups), CloudWatch performance metrics, anonymised query shapes from pg_stat_statements. We do not access application data or PII.

Lawful basis

Legitimate interest (performance analysis) and contractual necessity. Processing is limited to the duration of the engagement and 30 days' record retention for audit purposes.

Data residency

All analysis is performed within EU/UK infrastructure. No data transfers to third countries (e.g. US) without explicit written authorisation and Standard Contractual Clauses.

Retention policy

Analysis reports retained for 12 months then securely deleted. CloudWatch metric snapshots retained for 30 days then deleted. No long-term data warehousing of client metrics.

Data Processing Agreement (DPA)

A pre-signed DPA in standard UK GDPR format is available within 24 hours of request. Suitable for regulated industries including FinTech, HealthTech, and e-commerce.

Request DPA →
🚨

Incident Response & Breach Notification

In the unlikely event of a security incident involving client data, PGFlare follows a documented incident response procedure aligned with ICO guidance.

00–01h

Detection & Containment

Immediate revocation of all AWS cross-account roles and internal access credentials. Incident scoped to identify affected client data and attack vector.

01–04h

Client Notification

Affected clients notified by email within 4 hours of containment. Notification includes what data was involved, how we contained it, and interim mitigation steps.

24–72h

ICO Notification

If the breach is likely to result in risk to individuals, we notify the ICO within 72 hours as required under UK GDPR Article 33. Clients receive a full incident report.

7 days

Root Cause & Remediation

Full root cause analysis report delivered to all affected clients with permanent remediation steps and updated security controls.

🔒

Operational Security

Security practices applied to all PGFlare engagements, regardless of client size.

  • One-time cross-account IAM roles per engagement — not reused across clients Each engagement creates a fresh role scoped to a specific RDS resource ARN
  • No credentials stored beyond session duration Temporary STS credentials used for all AWS API calls; no long-term access keys
  • Analysis tooling runs in isolated environments Per-engagement compute instances, not shared infrastructure
  • No client data in PGFlare internal databases Reports are delivered as PDF/Markdown documents, not persisted in a SaaS database
  • Findings reports delivered over TLS-encrypted email or shared secure link No plaintext report transmission; link sharing uses time-limited signed URLs
  • Sub-processors limited to AWS (compute), Resend (transactional email), Supabase (waitlist only) Waitlist data is email and company name only — no PII from analysis is stored in Supabase

Procurement Checklist

Standard questions asked by security and procurement teams, with PGFlare's answers.

Question Answer
Do you hold ISO 27001 certification? No (sole trader / small practice). Full security practices documented and available. ISO 27001 in roadmap for Q3 2026.
Do you hold Cyber Essentials? Cyber Essentials certification in progress. Expected Q2 2026.
Is there a DPA available? Yes — available within 24 hours of request. Email hello@pgflare.com.
Will data leave the UK / EU? No — all analysis runs on EU/UK infrastructure. No US transfers.
Do you require write DB access? Never — read-only IAM only. Application data is never accessed.
Do you use subprocessors? Yes — AWS (compute), Resend (email), Supabase (waitlist only). Full subprocessor list on request.
How long is data retained? Reports: 12 months. Metric snapshots: 30 days. Both securely deleted on schedule.

For specific security questionnaires or vendor onboarding requests, email hello@pgflare.com with the subject "Security Questionnaire".