Security and data handling, in plain English
Trust Centre
What PaySlipIQ does with your data, who else touches it, where it lives, and the certifications we hold or are pursuing. Built for press, B2B partners, and curious users who want the detail.
How a payslip check moves through our systems
- You enter numbers or upload a photo on /check. EXIF metadata is stripped client-side before upload.
- The image or numbers travel over TLS 1.3 to our Vercel-hosted Next.js API route at
/api/analyse(London edge — regionlhr1). - Our API forwards the image and a system prompt to Anthropic Claude Sonnet 4.6 for vision extraction and analysis.
- Anthropic returns structured JSON. We parse and validate it, then return the result to your browser.
- The original image is held only in transient server memory during the request lifecycle. We do not persist payslip content to any database, log, or file.
- Anonymised flag counters (e.g. "1 emergency tax code seen") are aggregated to Upstash Redis for the quarterly Anomaly Index — never tied to your data.
Sub-processors
PaySlipIQ uses the following processors. We update this list within 30 days of any change.
| Processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Vercel | Hosting, edge cache, serverless functions | EU + USA | SCCs + UK IDTA |
| Anthropic | AI vision + analysis (Claude Sonnet 4.6) | USA | SCCs + UK IDTA |
| Upstash | Redis rate-limit counters (no PII) | EU | UK GDPR adequacy |
| GA4 (anonymised analytics, behind consent) | EU + USA | DPF + SCCs | |
| Microsoft Clarity | Aggregate session insights (masked, behind consent) | EU + USA | DPF + SCCs |
Anthropic data retention
Anthropic's commercial terms allow them to retain API inputs and outputs for up to 30 days for trust-and-safety review. PaySlipIQ does not store payslip data ourselves, but we want you to know exactly what our AI provider does. Inputs are not used to train Anthropic models. We are evaluating Anthropic's Zero Data Retention (ZDR) tier so we can guarantee zero retention at the AI provider; until that is signed, the 30-day TS-review window applies. We will update this page within 7 days of any change.
Security posture
- • TLS 1.3 enforced site-wide; HSTS preload submitted
- • Strict Content-Security-Policy with COOP/CORP heading toward enforcement (currently report-only on selected directives)
- • Daily Anthropic call ceiling (
ANTHROPIC_DAILY_CALL_LIMIT=300) plus per-IP 3/hour rate limit to defend against abuse - • No payslip content stored in any database, log, or analytics — verifiable in our open-source-architecture diagram (request via email)
- • Source code in private GitHub with branch protection and required review
Certifications and assurance
- • Cyber Essentials Basic — application in progress (target: Q3 2026)
- • ISO 27001 — under evaluation for 2027 if B2B traction warrants
- • SOC 2 Type 1 — under evaluation for 2027
- • Independent penetration test — annual cadence from 2026
Data Processing Agreement (DPA)
If you are a payroll bureau, accounting firm, or HR team considering PaySlipIQ for staff use, we offer a standard DPA aligned with UK GDPR Art. 28. Email trust@payslipiq.co.uk with your company name and we will send a draft within 2 working days.
Reporting a vulnerability
We welcome responsible disclosure. Email security@payslipiq.co.uk with details. We aim to triage within 24 hours and patch critical issues within 14 days. We do not yet operate a paid bug-bounty programme but will publicly acknowledge contributions in this Trust Centre.
Last reviewed: 29 April 2026. Next review: 31 July 2026. We will email anyone who has requested a DPA with material updates.