Back to Home
Project Paced LogoProject Paced

Security & Compliance

Last updated: February 12, 2026

1. Infrastructure & Physical Security

Project Paced leverages Google Cloud Platform (GCP) for all core infrastructure, inheriting world-class physical and network security controls.

Hosting & Data Residency: All application data is hosted in the US Central (Iowa) region.

Physical Security: Data is stored in Google's Tier 4 data centers, which maintain SOC 2 Type II, ISO 27001, and PCI-DSS certifications.

Encryption at Rest: All database volumes (Cloud Firestore) and Cloud Storage buckets are encrypted using AES-256.

Encryption in Transit: All data moving between the client and the server is encrypted using TLS 1.2 or higher.

2. Application & Network Security

Our "Defense in Depth" strategy ensures that security is baked into the code, not just the perimeter.

Authentication
Managed via Firebase Authentication. We support Google OAuth and Email/Password authentication. For enterprise clients, we can evaluate SAML/SSO integration via Google Identity Platform.

Client Verification
We utilise Firebase App Check with reCAPTCHA Enterprise to ensure only our official web application can interact with our backend APIs.

Bot Mitigation
reCAPTCHA Enterprise is active on all entry points to prevent automated attacks, credential stuffing, and brute-force attempts.

Access Control
Data access is governed by Firestore Security Rules, which enforce granular, document-level authorisation based on the user's authenticated UID.

3. Payments & Data Privacy

We minimize our "security surface area" by utilising industry-leading third-party processors for sensitive data.

Payment Processing
All payments are processed via Stripe. Project Paced is PCI-DSS Compliant (SAQ-A); we never store or transmit raw credit card data.

Sub-processors
Our primary sub-processors are Google Cloud (Infrastructure) and Stripe (Payments). Both maintain rigorous compliance programs.

Data Retention

User Data:

  • Active subscribers: Data retained for the subscription duration plus 30 days after cancellation
  • Trial accounts: Data retained for 14 days after trial expiration
  • Users may request immediate deletion via account settings at any time

Financial Records (UK Legal Requirement):

  • Transaction records, invoices, and billing information are retained for 6 years after the end of the relevant accounting period, as required by HMRC
  • Following user account deletion, personal identifiers in financial records are pseudonymised while preserving the integrity of tax-related data
  • Payment processing records are also retained by Stripe in accordance with their data retention policies and financial regulations (7 years for PCI-DSS compliance)

4. Data Residency & International Transfers

Data Location
Project Paced is hosted in the US-Central (Iowa) region of Google Cloud Platform. This allows us to provide a high-performance, unified experience for our global user base.

GDPR & International Compliance
We recognise the requirements for transferring Personal Data from the EU, EEA, and UK to the United States. To ensure a high level of data protection, we employ the following mechanisms:

  • Standard Contractual Clauses (SCCs): We incorporate the latest version of the European Commission's SCCs into our Data Processing Agreement (DPA) with all customers located in the EU/EEA.
  • Google Cloud DPA: As a sub-processor, Google Cloud Platform maintains a robust Data Processing Addendum that includes technical and organisational measures to safeguard data against unauthorised access by any third party, including government authorities.
  • Encryption as a Safeguard: All data is encrypted in transit and at rest, acting as a "Supplementary Measure" to ensure that even in the event of an interception, the data remains unintelligible.

Enterprise Data Isolation
While data is hosted in a multi-tenant environment in the US, Project Paced utilises Firestore Security Rules at the database level to ensure that one customer's data is never accessible or visible to another.

5. Monitoring, Reliability & Incident Response

Project Paced utilises a multi-layered observability stack to ensure 24/7 system health, proactive security, and rapid incident resolution.

Proactive Security Scanning (Aikido)
We employ Aikido Security for continuous vulnerability management.

  • Static Analysis (SAST): Our code is scanned on every GitHub push for security flaws or hardcoded secrets.
  • Dependency Scanning (SCA): Automated monitoring of third-party libraries (npm/Node.js) to identify and patch "Common Vulnerabilities and Exposures" (CVEs) before they can be exploited.
  • Cloud Posture Management: Continuous scanning of our Google Cloud/Firebase configuration to prevent accidental data exposure or misconfiguration.

Real-Time Error Tracking (Better Stack + Sentry)
To maintain high application quality, we utilise Better Stack (via Sentry SDK) for real-time error monitoring across our web frontend and Firebase Cloud Functions, with Sentry.io providing session replay capabilities.

  • Instant Alerting: Any unhandled exception or critical bug triggers an immediate alert to our engineering team.
  • Contextual Debugging: Full stack traces and breadcrumbs allow us to resolve production issues often before they are reported by users.
  • Performance Monitoring: We monitor API latency and database query times to ensure the application meets enterprise performance expectations.
  • Session Replay: Visual bug reproduction via Sentry.io session replay for rapid debugging of user-reported issues.

Uptime & Infrastructure Monitoring (Better Stack)
Service availability is monitored 24/7 via Better Stack to ensure our 99.9% uptime commitment.

  • Global Health Checks: Independent "Heartbeat" monitors ping our Firebase endpoints from multiple global locations every 3 minutes.
  • Public Status Page: Our service status is transparently reported at https://status.projectpaced.com
  • On-Call Protocol: Critical infrastructure failures trigger automated phone and SMS escalations to ensure immediate response, regardless of the time of day.

6. Operational Security & Governance

As a focused organisation, we prioritise automation over manual intervention to reduce human error.

Access to Production Access to the GCP Console and Stripe Dashboard is restricted to authorised individuals and is protected by Multi-Factor Authentication (MFA) via authenticator app.

Personnel Security All Project Paced Ltd employees and contractors are required to sign non-disclosure and confidentiality agreements (NDAs) prior to being granted access to any production systems. We conduct regular internal security awareness training to ensure all team members understand their obligations under the UK GDPR.

Business Continuity
Daily automated backups are enabled for Firestore with a Recovery Point Objective (RPO) of 24 hours.

Incident Response
In the event of a suspected breach, our policy is to revoke all active API keys, notify affected customers within 72 hours, and provide a full post-mortem report.

Data Subject Rights & Assistance Project Paced is committed to helping you fulfil your obligations under Data Protection Laws.

  • Manual Requests: Users may exercise their rights (access, rectification, or erasure) by contacting us at security@projectpaced.com.
  • Response Time: As the Processor, we will provide you with the necessary data to respond to a valid request without undue delay, typically within 30 days.
  • Verification: To protect user privacy, we will require reasonable proof of identity before processing any data access or deletion request.

Vulnerability Management We perform continuous dependency scanning using Aikido Security to identify and patch security flaws in our code and third-party libraries.

Data Deletion
User account deletion is handled via automated Cloud Functions that:

  1. Immediately delete user-generated content (timelines, milestones, uploaded files)
  2. Remove the Firebase Authentication account
  3. Pseudonymise financial records for tax compliance (retaining transaction data for 6 years as required by HMRC)
  4. Mark the Stripe customer record as deleted (Stripe maintains their own 7-year retention for PCI-DSS compliance)

7. Privacy-First Observability & Data Masking

Project Paced prioritises user privacy by implementing "Private by Default" configurations for all session recording and error monitoring activities. We employ aggressive client-side masking techniques to ensure that sensitive Personally Identifiable Information (PII) is redacted before it ever leaves the user's browser.

Client-Side Redaction: Our Session Replay SDK is configured to automatically mask all HTML text nodes, user input fields, and media elements (images, videos, etc.) at the source. Redacted content is replaced with asterisks (***) or static placeholders, ensuring that the original data is never transmitted to or stored on our servers.

Regulatory Compliance: These controls are designed to align with strict regulatory frameworks, including GDPR, CCPA, and ISO 27001 (Annex A 8.11) regarding pseudonymisation and data masking.

Network Privacy: To prevent the accidental capture of PII in API communications, we have disabled the recording of network request and response bodies.

Security Accountability: All telemetry data is encrypted both in transit (TLS) and at rest (AES-256), and access to this data is strictly limited to authorised administrators via Multi-Factor Authentication (MFA).

Data Minimisation: We only collect the structural DOM changes necessary to reproduce technical errors; we have no business or technical requirement to see the actual data our customers are inputting into the platform.

Summary

Project Paced combines enterprise-grade infrastructure with intelligent automation to deliver a secure, compliant, and highly available platform. Our architecture leverages Google Cloud Platform's world-class security controls, while our operational practices ensure continuous monitoring, proactive vulnerability management, and transparent incident response.

For questions regarding this security whitepaper, please contact: security@projectpaced.com