InvestiScript
← Back to InvestiScript

Trust & Security Center

Secure by design.

InvestiScript handles investigative journalism material — leaked documents, confidential sources, and sensitive claims. Our security posture reflects that responsibility. Enterprise-grade encryption, hash-chained audit trails, and a 44-policy ISMS aligned to ISO/IEC 27001:2022.

View Full Compliance PosturePrivacy PolicyRequest Evidence Library

Compliance & Certifications

Our compliance posture is validated against internationally recognised frameworks. We maintain comprehensive documentation and engage independent auditors.

ISO/IEC 27001:2022

Aligned

44-policy ISMS mapped to ISO/IEC 27001:2022 Annex A. Stage 1 certification audit target Q4 2026.

UK ICO Registration

ZC117933

Registered with the Information Commissioner's Office as a data controller and processor.

UK GDPR Compliant

Active

Full UK GDPR compliance framework with ROPA, DPIAs, international transfer safeguards, and data subject request procedures.

NIST AI RMF

Aligned

AI governance mapped to NIST AI Risk Management Framework. Human-in-the-Loop controls, bias evaluation, and red-team policies.

Data Security

Protecting sensitive investigative material at every layer — from transport encryption to tamper-evident audit logs and source anonymisation.

Encryption at Rest & In Transit

All data encrypted with AES-256 at rest. TLS 1.2+ enforced for all connections. HSTS headers with max-age 31536000.

SHA-256 Hash-Chained Audit Log

Every audit entry carries a SHA-256 hash of its content plus the previous entry's hash. Any tampering breaks the chain and is immediately detectable.

Evidence Integrity Verification

Documents are SHA-256 hashed on upload. Hashes are periodically re-verified. Evidence-locked documents cannot be edited or deleted.

28-Point Anonymisation Audit

EXIF data, GPS coordinates, device fingerprints, author metadata, digital signatures — all stripped before export. Source identity is never persisted.

File Upload Security

Whitelist-based file validation, magic byte verification, double-extension attack detection, and VirusTotal malware scanning on every upload.

Content Security Policy

Strict CSP headers, X-Content-Type-Options, CORS controls, and referrer policy enforced on all responses via middleware.

Authentication & Access Control

Defence-in-depth access controls — from password hashing to API key security and organisation-scoped data isolation.

SHA-256 Hashed API Keys

API keys are cryptographically generated using crypto.randomBytes(32) and stored as SHA-256 hashes. Raw keys are never persisted.

Role-Based Access Control

Organisation-scoped RBAC with owner, admin, editor, and viewer roles. Every API route enforces session checks and role requirements.

bcrypt Password Hashing

Passwords hashed with bcrypt (cost factor 12). 10-character minimum with 3-of-4 character class requirement. Real-time strength meter.

Rate Limiting

IP-based rate limiting on all sensitive endpoints: login, signup, research generation, script generation, AI tools, deepfake analysis, and social content.

Email Verification

Verification tokens generated on signup. Accounts can only access full features after email confirmation.

IDOR Protection

All data API routes derive userId from server session — never from URL parameters. Organisation-scoped access checks on every request.

Reliability & Operational Monitoring

Five automated daemons monitor production around the clock. Every anomaly triggers an immediate alert.

24/7 Health Monitoring

Automated health checks every 6 hours across all production endpoints. Immediate email alerts on any failure.

Security Scanning

Automated security scans every 6 hours: SSL certificates, security headers, path traversal, SQL injection, and exposed endpoint detection.

Malware Detection

VirusTotal API integration scans every uploaded document. Infected files are quarantined and blocked from download.

Suspicious Activity Detection

Daemon monitors for mass deletions, brute force attempts, unusual access hours, privilege escalation, and mass data exports.

Dependency Vulnerability Scanning

Daily automated scans against the OSV.dev vulnerability database. Critical and high CVEs trigger immediate alerts.

Incident Response

Documented incident response playbook (VIQ-POL-030/031). Business continuity and disaster recovery policies maintained.

Data Protection Principles

Our data handling adheres to the core principles of UK GDPR and international data protection law.

Encryption & Pseudonymisation

AES-256 at rest, TLS 1.2+ in transit. Source identities stripped via 28-point anonymisation audit.

Confidentiality, Integrity, Availability

Risk-based ISMS with regular assessments, penetration tests, and internal audits per ISO 27001:2022.

Data Minimisation

Collection limited to processing purposes. Employees and systems access only the minimum necessary information.

Data Portability & Erasure

Full GDPR Article 17 compliance. One-click account deletion with cascading data erasure. Export your data at any time.

International Transfer Safeguards

Standard Contractual Clauses (SCCs) and adequacy decisions govern all international data transfers.

Accountability & Governance

Dedicated data protection officer, regular staff training, and documented security awareness programmes.

44-Policy ISMS Framework

Six policy domains covering every aspect of information security management. Full versioned policy pack available to subscribers and audit teams.

5

Governance & Risk

VIQ-POL-001–005

5

Data Protection

VIQ-POL-010–014

6

Information Security

VIQ-POL-020–025

4

Operations & Resilience

VIQ-POL-030–034

4

People

VIQ-POL-040–043

4

AI Governance

VIQ-POL-050–053

View Full ISMS DetailRecords of Processing (ROPA)Data Protection Impact Assessments

Responsible Disclosure

If you discover a security vulnerability in InvestiScript, we encourage responsible disclosure. Please email [email protected] with details. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it. We will not pursue legal action against researchers who act in good faith.

Frequently Asked Questions

Common questions from security teams, procurement, and compliance officers.

All data in transit is encrypted via TLS 1.2+. Database connections use SSL enforcement. File uploads undergo magic-byte validation and VirusTotal malware scanning before storage. Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext.

Our ISMS is aligned to ISO 27001:2022 with 44 policies across six domains. We are registered with the UK Information Commissioner's Office (ICO ZC117933) and VeritasIQ Technologies Limited is incorporated at Companies House (17120203). Full policy documentation is available in our Compliance Centre.

User passwords are hashed using bcrypt with a cost factor of 12. API keys are generated using crypto.randomBytes(32) producing 256-bit entropy tokens. Session tokens are managed through NextAuth with secure, HTTP-only cookies and CSRF protection.

We use SHA-256 for hash-chained audit logs, bcrypt for password hashing, and TLS 1.2+ for all data in transit. Content Security Policy headers, HSTS with a one-year max-age, and strict CORS rules are enforced at the middleware layer.

Every significant action generates an immutable, hash-chained audit record using SHA-256. Each log entry includes a hash of the previous entry, creating a tamper-evident chain. This covers document access, user authentication events, permission changes, and data exports.

Yes. InvestiScript supports GDPR Article 15 (right of access) and Article 17 (right to erasure). You can request a full data export or account deletion. Our Records of Processing Activities (ROPA) documents every data flow, and our Data Protection Impact Assessments (DPIA) evaluate risks for every processing activity.

Source protection is engineered at every layer. Our 28-point algorithmic anonymisation strips identifying metadata. Access controls enforce role-based permissions so only authorised personnel can view sensitive materials. All access is logged in the hash-chained audit trail.

We operate a responsible disclosure process. Report vulnerabilities to [email protected]. We acknowledge reports within 48 hours, triage within 5 business days, and coordinate disclosure timelines with the reporter. We do not pursue legal action against good-faith security researchers.

Five dedicated monitoring daemons run continuously: platform health checks (every 6 hours), security configuration audits (every 6 hours), malware scanning of uploaded files (every 2 hours), suspicious activity detection (every 6 hours), and dependency vulnerability scanning (daily).

Dependency vulnerability scanning runs daily via an automated daemon. Known vulnerabilities are flagged, assessed for severity, and patched according to our Patch Management Policy (VIQ-POL-025). Critical vulnerabilities are escalated for immediate remediation.

Questions about our security posture?

Our team is available to walk through our security controls, provide evidence documentation, or support your vendor assessment process.

Contact Security TeamFull Compliance Detail