Every reading is hashed with SHA-256 the moment it arrives. Every treatment is GPS-stamped and sealed into the chain. The data sits in AWS London. None of it can be edited after the fact, including by us.
The chain of custody is not blockchain hype — it's a sequence of cryptographic hashes that makes after-the-fact editing detectable.
Each sensor reading arrives at the platform with a timestamp and source ID. The platform writes a deterministic input string and computes its SHA-256 fingerprint — a 64-character hex digest unique to that input.
The new fingerprint is appended to the previous block's fingerprint and hashed again, producing the next link. Any retroactive change to a previous block invalidates every block after it. Tampering becomes visible by definition.
On audit, the chain exports as a portable record. Any auditor with a SHA-256 implementation can replay the inputs and verify each fingerprint independently. We do not need to be in the room.
No US-resident processors in the path. No third-party SaaS storing your treatment record. Where the data sits and how it's protected.
All client data — readings, treatment records, compliance packs — resides in AWS London (eu-west-2). DSPT v14-aligned. No replication outside the UK without your written consent.
AES-128 over LoRaWAN from sensor to gateway. TLS 1.3 from gateway to platform. Hashed-at-rest for treatment records. Encryption keys rotate quarterly.
SSO via SAML 2.0 or OIDC. Role-based access (FM, operator, technician, auditor). Every human action in the platform is logged into the same chain as sensor data.
Your data, your export. Full portable export available within fourteen days of request. We retain a processing licence only while the contract is active — terminate, and the licence ends.
We list what we hold today, what's in progress, and what's a target. No "ISO-aligned" hand-waving.
UK government baseline. Annual renewal.
Independent technical audit. Q3 2026 target.
Trust services controls — 2026.
Information security management system. 2027.
Our commitment to you, written down. The contract carries the same wording.
If we believe a security incident affects your data, we will notify your registered contacts within 24 hours of confirmation, with a written summary inside 72 hours.
Independent security researchers can report vulnerabilities to security@greentech.co.uk. Responsible disclosure window: 90 days.
List of sub-processors (AWS, ThingsBoard, Make.com, GoCardless) is published in the security pack and updated within 14 days of any change.
Annual third-party pen test against the platform and sensor-to-platform path. Summary results sharable under NDA at the contract stage.
Book a 30-minute security brief. We'll walk through the architecture, the certification roadmap, and the data-processing terms with your security or DPO function.