Security a compliance officer can sign off.
CapEmber is built for FCA-regulated firms, which means data protection isn't a feature — it's the foundation. Here's exactly how your clients' data is protected.
CapEmber is built for FCA-regulated firms, which means data protection isn't a feature — it's the foundation. Here's exactly how your clients' data is protected.
Sensitive data is encrypted at rest with AES-256-GCM. Documents and backups are encrypted before they leave the platform, so your storage provider only ever sees ciphertext.
Write-once-read-many backups with compliance retention — records can't be altered or deleted before their retention period expires. Built for FCA record-keeping, GDPR and DORA.
Product data is hosted in London. Account data sits with Cloudflare under EU jurisdiction controls. No data is sold, and there are no third-party advertising trackers.
Per-firm isolation keeps each firm's data separate, and role-based access controls who can see and do what — so principals get oversight without exposure.
Who did what, and when — captured automatically and immutable after the fact. Reconstruct the complete history of any client file in seconds.
Passwords are stored only as salted hashes, sessions are signed, and optional TOTP two-factor authentication with single-use backup codes is available on every account.
The test we hold ourselves to is simple: could a careful compliance officer read how the system works and sign it off without caveats? That shapes every decision. Sensitive data is encrypted before it touches storage, so a breach of a storage provider yields ciphertext, not client information. Backups are immutable, so records can be trusted to be tamper-evident. And every action is logged in a way that can't be quietly rewritten, so the audit trail is evidence rather than a best guess.
We also believe security shouldn't depend on the website. The marketing site itself ships a strict Content-Security-Policy, HTTP Strict Transport Security, and sensible framing and referrer protections — and the private analytics that power our own dashboard store no IP addresses or personal data, only a daily-rotating salted hash used purely to count unique visitors.
Doing due diligence? If your firm needs specifics for a security review or supplier assessment, email [email protected] and we'll walk you through the detail.