Trust & Compliance
We take security and compliance seriously because our customers — and their procurement teams — need to. This page is the honest version of where we are today and what's on the roadmap. We update it when something changes.
If you're evaluating VaultHire or AccountRadar for procurement, you'll want our Procurement Pack — a single PDF with all the answers most enterprise security questionnaires need. Email security@legatumgroup.uk to request it.
What's true today
Data protection
- Data controller: Legatum Group Limited (Company No. [PENDING], registered in England and Wales)
- ICO registration: [PENDING — TO BE DISPLAYED HERE]
- Lawful basis documented and reviewed annually
- Legitimate Interest Assessment completed for hiring manager contact data, available on request
- Sub-processor list published and updated 30 days in advance of changes
- Data residency: all production data stored in UK or EU regions
- Data Processing Addendum available for AccountRadar customers (controller-to-processor model). VaultHire uses a controller-to-controller model — see DPA page for explanation.
- Privacy Policy, Terms of Service, Cookie Policy, AUP all published
Security baseline
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- Role-based access control with least-privilege principles
- Multi-factor authentication available for administrator accounts
- Daily automated backups in a separate region with 30-day retention
- Documented incident response plan with 72-hour ICO notification commitment
- PCI-DSS compliance inherited via Stripe (we never touch card data)
Operational practices
- Documented data retention schedule
- Documented right-to-erasure and right-to-portability procedures
- Documented breach response plan with named incident lead
- Annual review of all privacy and security documentation
What's on the roadmap
We believe in being honest about what we have and don't have. The following items are on our compliance roadmap and will be activated according to the triggers shown.
| Item | Status | Trigger to activate |
|---|---|---|
| Professional Indemnity insurance (£1m cover) | Quoted, ready to activate | Before first paying customer |
| Cyber Liability insurance (£100k cover) | Quoted, ready to activate | Before first paying customer |
| Directors & Officers insurance (£250k cover) | Quoted, ready to activate | Before first enterprise contract |
| Public Liability insurance | Bundled with above | Active from incorporation |
| Employers' Liability insurance | Not yet required | First UK PAYE contract |
| External penetration test | Scheduled | When group MRR crosses £50k/mo |
| SOC 2 Type 1 | Not yet certified | Initiated at 100 paying customers per platform |
| SOC 2 Type 2 | Not yet certified | 12 months after Type 1 |
| ISO 27001 | Not yet certified | Reviewed at first enterprise bespoke build |
| Customer audit log export | Available at Agency tier | Tier launch |
| SAML SSO | Available at Enterprise tier | Tier launch |
| Customer-managed encryption keys (CMK) | Available at Enterprise tier | Tier launch |
| Documented RTO 4hr / RPO 1hr disaster recovery | Roadmapped | Quarterly drills from Month 9 |
We don't claim certifications we don't hold. If a procurement team asks for SOC 2 today, we will say "not yet — we're starting the process at 100 customers, here's our roadmap" rather than pretending otherwise. In our experience this earns more trust than the alternative.
EU AI Act — our position
We use AI in our products and we take regulatory compliance seriously. This section sets out our position under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) so procurement teams have a clear answer to a question they're increasingly asked to ask.
Where AI is used
| Platform | AI use case | Risk classification (our assessment) |
|---|---|---|
| VaultHire | Search query expansion (large language model) | Limited risk — Article 50 transparency only |
| VaultHire | Hiring manager identification (contextual reasoning) | Limited risk — Article 50 transparency only |
| VaultHire | Outreach drafting (human reviews before send) | Limited risk — Article 50 transparency only |
| AccountRadar | Signal scoring and ranking | Limited risk — Article 50 transparency only |
| AccountRadar | Briefing generation from public business signals | Limited risk — Article 50 transparency only |
Why we are not in scope of high-risk obligations
Annex III of the EU AI Act lists eight categories of high-risk AI use, including "AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates."
Our products do not fall within this category, for the following reasons:
- VaultHire is not used to filter job applications. It surfaces direct-employer vacancies and the hiring managers attached to them. It does not receive, analyse, score, rank, or filter candidate CVs against vacancies as part of an employer's hiring decision.
- VaultHire is not used to evaluate candidates. Recruiters using VaultHire identify potential roles and decision-makers; the candidate evaluation is conducted entirely by the recruiter and the hiring company, outside our platform.
- VaultHire does not place targeted job advertisements. We surface existing job adverts to recruiters; we do not generate, target, or distribute job advertisements to candidates.
- AccountRadar operates entirely outside Annex III categories. It is used in B2B sales and account intelligence, not in any of the eight high-risk use-case domains (employment, education, biometrics, law enforcement, migration, justice, credit, critical infrastructure).
- All AI outputs are reviewed by a human professional (the recruiter or sales operator) before any external action is taken. No automated decisions producing legal or similarly significant effects on data subjects are made by our systems.
What we have done to comply
- Article 4 — AI literacy. Our team and our customers are provided with documentation on what AI does in our platforms, what its limits are, who reviews outputs, and what to do if an output appears wrong.
- Article 50 — transparency. Our use of AI is disclosed in the Privacy Policy of each platform. AI-generated content is labelled or otherwise identifiable to the user.
- Internal AI inventory. We maintain an internal register of every AI use in our products, documenting purpose, data inputs, outputs, oversight, and risk classification.
- Risk classification rationale. A more detailed written rationale supporting the classifications above is available to enterprise customers and procurement teams on request.
Regulatory developments we monitor
- The Digital Omnibus on AI proposal (published 19 November 2025) which may defer high-risk obligations to 2 December 2027 if adopted. We do not rely on this deferral; we plan against the original 2 August 2026 date.
- Article 6(1) classification guidance from the European Commission, which clarifies practical application of high-risk classification.
- National competent authority designations in our customers' jurisdictions.
We will update this page if our use of AI in the platform, our risk classification, or the regulatory framework materially changes.
Available on request
For enterprise customers and procurement teams: a detailed risk classification rationale, our internal AI inventory, and our Article 4 AI literacy materials are available on request to security@legatumgroup.uk.
What we'll send to your procurement team
The Procurement Pack includes:
- This Trust & Compliance overview
- Privacy Policy
- Terms of Service
- Data Processing Addendum (where applicable)
- Sub-processor list
- Insurance summary (once active)
- ICO registration confirmation
- Pre-filled SIG Lite security questionnaire
- Pre-filled CAIQ (Cloud Security Alliance) responses
- Data residency statement
- Security overview
- Incident response summary
Most procurement teams find the Pack covers 80–90% of their standard enquiries. We will respond to bespoke questionnaires within 5 working days for active deals.
Email security@legatumgroup.uk to request the Pack.
Reporting a security issue
If you believe you've found a security vulnerability, please report it responsibly to security@legatumgroup.uk. We aim to acknowledge reports within 48 hours and we will not pursue legal action against good-faith security researchers who follow responsible disclosure norms.
We do not currently run a paid bug bounty programme.
Contact
| Topic | |
|---|---|
| Privacy and data protection | privacy@legatumgroup.uk |
| Security questions and procurement | security@legatumgroup.uk |
| Acceptable use and abuse reports | abuse@legatumgroup.uk |
| Legal and contracts | legal@legatumgroup.uk |
| Everything else | hello@legatumgroup.uk |