Trust
Trust and security
How we store, protect and process your data, where it lives, and exactly who touches it. We would rather tell you plainly than make you ask.
Where your data lives
Your core data, the land and account information held in our database, is hosted on Google Cloud Platform in the United Kingdom (London region). Encrypted, off-site backups are held in the European Union (Amsterdam).
Some of the sub-processors we rely on (AI report generation, sign-in, content delivery) operate outside the UK. Where data is processed outside the UK, we put in place an appropriate UK transfer safeguard: the International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or, for providers certified under the EU-US Data Privacy Framework, the UK-US data bridge. Our EU-based sub-processors (payments and backups) need no additional safeguard, because the UK recognises the EEA as providing adequate protection.
How we protect it
- Encryption in transit. Every connection to EcoIntel uses TLS.
- Encryption at rest. Google Cloud encrypts all stored data by default (AES-256). Our backups are additionally encrypted on our side before they leave our systems, so the backup provider only ever holds data it cannot read. Backups are versioned and made immutable to resist ransomware, with the keys held offline.
- Access control. Access to customer data is restricted to a small number of named, authorised people: the founders and our development partner, under confidentiality.
- Breach response. If a personal-data breach affects your data, we will notify you without undue delay, and notify the Information Commissioner's Office (ICO) within 72 hours where the law requires it.
- Certified infrastructure. EcoIntel runs on Google Cloud Platform, which holds ISO 27001 and SOC 2 certification. EcoIntel does not yet hold its own certification.
Sub-processors
We use the following third parties to run EcoIntel. Each processes data only as far as needed to provide its part of the service, under its own data-processing agreement.
| Sub-processor | What they do | Location |
|---|---|---|
| Google Cloud Platform | Application hosting, the database, and satellite data processing (Earth Engine) | United Kingdom (London) |
| Backblaze | Encrypted, off-site backups | European Union (Amsterdam) |
| Anthropic | AI generation of land-health reports | United States |
| Stripe | Subscription payments and billing | European Union (Ireland) |
| Cloudflare | Website delivery, security, and privacy-friendly analytics | United States |
| Microsoft Azure | Account sign-in and authentication | United States |
| Google Workspace | Business email and documents | United States |
| Vu Digital | Application development and marketing, as our delivery partner | United Kingdom |
| FreeAgent | Accounting and billing administration | United Kingdom |
Sub-processors that process data outside the UK and EEA (the United States entries above) do so under an appropriate UK transfer safeguard, as described under "Where your data lives". We give at least 30 days' notice before adding or replacing a sub-processor, so you have time to object.
Your data and your rights
EcoIntel (Ecological Intelligence Ltd) is the data controller for the personal data we hold. What we collect, why, how long we keep it, and your rights under UK GDPR are set out in full in our Privacy Policy.
Business customers: our Data Processing Addendum is incorporated into our Terms of Service and published in full, so it already applies to your use of the Service, with no separate signing required.
Reporting a security issue
If you believe you have found a security vulnerability, or you have a concern about how your data is handled, please contact us at . We take these reports seriously and aim to acknowledge them within three business days.
Last updated: 10 June 2026