TransactionX.

Trust & security

Operated by Wealth Recovery Solicitors Limited (Company No. 11325165) · Regulated by the SRA (ID 8000728)

TransactionX is built for professionals handling sensitive financial data. This page summarises our security, privacy and governance posture and links to the documents we make available to procurement and security teams under NDA.

Data protection at a glance

  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Access: Postgres Row-Level Security on all tenant tables; least-privilege service accounts.
  • Authentication: Supabase Auth with email verification; MFA on administrator accounts.
  • Logging: per-statement access audit log; IP addresses hashed before storage.
  • Backups: daily managed backups, 35-day retention, restore-tested.
  • No model training on customer-uploaded content.

Where data is processed

Primary storage is in the EU (Supabase eu-west). The full sub-processor list, including location and transfer safeguards, is published at /legal/sub-processors. We give at least 30 days' notice of any sub-processor change.

Retention

  • Uploaded statements and parsed transactions: up to 6 years, or on user deletion.
  • Statement access audit log: 24 months.
  • Email send log: 12 months.
  • Backups: up to 35 days after primary deletion.

Account holders can export or delete their data at any time from the dashboard.

Breach response

We operate a documented incident-response runbook. Notifiable personal-data breaches are reported to the ICO within 72 hours of awareness, and to affected customers without undue delay, in accordance with UK GDPR Articles 33 and 34 and our DPA.

Data subject rights

We support the full range of UK GDPR rights (access, rectification, erasure, restriction, portability, objection). Account holders can self-serve export and deletion from the dashboard. For requests relating to third parties named in customer-uploaded statements, we forward the request to the relevant customer (controller) and assist them in responding.

Documents available on request (under NDA)

  • Trust pack (executive summary)
  • Data Protection Impact Assessment (DPIA) and sign-off record
  • Records of Processing Activities (RoPA) — controller and processor
  • Data Processing Addendum (DPA) and Annexes I–III
  • Technical and Organisational Measures (TOMs) evidence pack
  • International transfer risk assessment
  • Deletion runbook and DSAR playbook
  • Incident response runbook

To request these documents, email privacy@wrsolicitors.com from a verified business address.

Security disclosures

If you believe you have found a security vulnerability in TransactionX, please email security@wrsolicitors.com. We aim to acknowledge within 2 working days and will keep you informed of remediation progress.