Back to Home
Project Paced LogoProject Paced

Security & Compliance

Last updated: April 26, 2026

1. Infrastructure & Physical Security

Project Paced leverages Google Cloud Platform (GCP) for all core infrastructure, inheriting world-class physical and network security controls.

Hosting & Data Residency: Our standard service (app.projectpaced.com) runs on Google Cloud, with Firestore in the nam5 multi-region (United States) and Cloud Functions and Vertex AI in us-central1 (Iowa). Enterprise customers requiring EU data residency are provisioned on a separate Project Paced instance (eu.projectpaced.com) on which Firestore runs in the eur3 multi-region (replicated across Belgium, the Netherlands, and Finland) and Cloud Functions, Cloud Storage, and Vertex AI run in europe-west1 (Belgium). All EU-instance data and processing remain within the European Union. The two instances are independent Firebase projects, and Personal Data does not transit between them under normal operation.

Physical Security: Data is stored in Google's Tier 4 data centers, which maintain SOC 2 Type II, ISO 27001, and PCI-DSS certifications.

Encryption at Rest: All database volumes (Cloud Firestore) and Cloud Storage buckets are encrypted using AES-256.

Encryption in Transit: All data moving between the client and the server is encrypted using TLS 1.2 or higher.

2. Application & Network Security

Our "Defense in Depth" strategy ensures that security is baked into the code, not just the perimeter.

Authentication
Managed via Firebase Authentication. We support Google OAuth and Email/Password authentication. For enterprise clients, we can evaluate SAML/SSO integration via Google Identity Platform.

Client Verification
We utilise Firebase App Check with reCAPTCHA Enterprise to ensure only our official web application can interact with our backend APIs.

Bot Mitigation
reCAPTCHA Enterprise is active on all entry points to prevent automated attacks, credential stuffing, and brute-force attempts.

Access Control
Data access is governed by Firestore Security Rules, which enforce granular, document-level authorisation based on the user's authenticated UID.

Idle Auto-Logout
Sessions are automatically signed out after 30 minutes of inactivity, with a 2-minute warning modal before logout. Activity is detected from mouse, keyboard, scroll, and touch events. This control aligns with SOC 2 and ISO 27001 idle-timeout expectations and reduces session-hijacking risk on shared or public devices.

Public REST API & MCP Server
Project Paced exposes a Public REST API and a Model Context Protocol (MCP) server at mcp.projectpaced.com for programmatic and AI-assistant integrations.

  • Authentication: Bearer-token API keys (pp_…). Keys are stored as SHA-256 hashes only — the raw key is shown once at issuance and never recoverable thereafter.
  • OAuth 2.1 + PKCE: AI assistants such as Claude and ChatGPT connect via OAuth (RFC 8414 / 9728 / 7591) with PKCE S256, so end users never paste API keys.
  • Rate Limits: Trial accounts are limited to 3 lifetime API calls; Pro accounts share the standard 50 generations/month allowance.
  • Key Lifecycle: Issuance and revocation are logged. Revoked keys are retained as inactive for audit, not deleted.
  • Deployment: The MCP server is deployed as a separate Vercel project, isolated from the main application.

3. Payments & Data Privacy

We minimize our "security surface area" by utilising industry-leading third-party processors for sensitive data.

Payment Processing
All payments are processed via Stripe. Project Paced is PCI-DSS Compliant (SAQ-A); we never store or transmit raw credit card data.

Sub-processors
Our primary sub-processors are Google Cloud (Infrastructure) and Stripe (Payments). Both maintain rigorous compliance programs.

Data Retention

User Data:

  • Active subscribers: Data retained for the subscription duration plus 30 days after cancellation
  • Trial accounts: Data retained for 14 days after trial expiration
  • Users may request immediate deletion via account settings at any time

Financial Records (UK Legal Requirement):

  • Transaction records, invoices, and billing information are retained for 6 years after the end of the relevant accounting period, as required by HMRC
  • Following user account deletion, personal identifiers in financial records are pseudonymised while preserving the integrity of tax-related data
  • Payment processing records are also retained by Stripe in accordance with their data retention policies and financial regulations (7 years for PCI-DSS compliance)

4. Data Residency & International Transfers

Data Location
Project Paced operates two independent instances:

  • Standard instance (app.projectpaced.com) — Firestore runs in the nam5 multi-region, with replicas in us-central1 (Iowa), us-central2 (Oklahoma), and us-east1 (South Carolina). Cloud Functions and Vertex AI inference run in us-central1. All data and processing remain within the United States.
  • EU instance (eu.projectpaced.com) — Firestore runs in the eur3 multi-region, with replicas in europe-west1 (Belgium), europe-west4 (Netherlands), and europe-north1 (Finland). Cloud Functions, Cloud Storage, and Vertex AI inference run in europe-west1. All data and processing remain within the European Union. Available to enterprise customers requiring EU-only data residency.

The two instances are separate Firebase projects with independent user-identity namespaces. Personal Data does not transit between them under normal operation.

GDPR & International Compliance

  • EU instance — no restricted transfer: Where an EU/EEA enterprise customer is provisioned on the EU instance, Personal Data is processed exclusively within the EU and no restricted transfer outside the EEA occurs under normal operation. Stripe self-serve billing is not used on the EU instance — enterprise customers there are billed via manual invoice.
  • Standard instance — Standard Contractual Clauses (SCCs): For customers on the standard (US-hosted) instance, we incorporate the latest version of the European Commission's SCCs and the UK International Data Transfer Agreement (IDTA) into our Data Processing Agreement (DPA).
  • Google Cloud DPA: As a sub-processor, Google Cloud Platform maintains a robust Data Processing Addendum with technical and organisational measures to safeguard data against unauthorised access.
  • Encryption as a Safeguard: All data is encrypted in transit and at rest, acting as a "Supplementary Measure" to ensure that even in the event of an interception, the data remains unintelligible.

Enterprise Data Isolation
Within each instance, Project Paced uses Firestore Security Rules at the database level to ensure that one customer's data is never accessible or visible to another.

5. Monitoring, Reliability & Incident Response

Project Paced utilises a multi-layered observability stack to ensure 24/7 system health, proactive security, and rapid incident resolution.

Proactive Security Scanning (Aikido)
We employ Aikido Security for continuous vulnerability management.

  • Static Analysis (SAST): Our code is scanned on every GitHub push for security flaws or hardcoded secrets.
  • Dependency Scanning (SCA): Automated monitoring of third-party libraries (npm/Node.js) to identify and patch "Common Vulnerabilities and Exposures" (CVEs) before they can be exploited.
  • Cloud Posture Management: Continuous scanning of our Google Cloud/Firebase configuration to prevent accidental data exposure or misconfiguration.

Real-Time Error Tracking (Better Stack + Sentry)
To maintain high application quality, we utilise Better Stack (via Sentry SDK) for real-time error monitoring across our web frontend and Firebase Cloud Functions, with Sentry.io providing session replay capabilities.

  • Instant Alerting: Any unhandled exception or critical bug triggers an immediate alert to our engineering team.
  • Contextual Debugging: Full stack traces and breadcrumbs allow us to resolve production issues often before they are reported by users.
  • Performance Monitoring: We monitor API latency and database query times to ensure the application meets enterprise performance expectations.
  • Session Replay: Visual bug reproduction via Sentry.io session replay for rapid debugging of user-reported issues.

Uptime & Infrastructure Monitoring (Better Stack)
Service availability is monitored 24/7 via Better Stack to ensure our 99.9% uptime commitment.

  • Global Health Checks: Independent "Heartbeat" monitors ping our Firebase endpoints from multiple global locations every 3 minutes.
  • Public Status Page: Our service status is transparently reported at https://status.projectpaced.com
  • On-Call Protocol: Critical infrastructure failures trigger automated phone and SMS escalations to ensure immediate response, regardless of the time of day.

6. Operational Security & Governance

As a focused organisation, we prioritise automation over manual intervention to reduce human error.

Access to Production Access to the GCP Console and Stripe Dashboard is restricted to authorised individuals and is protected by Multi-Factor Authentication (MFA) via authenticator app.

Personnel Security All Project Paced Ltd employees and contractors are required to sign non-disclosure and confidentiality agreements (NDAs) prior to being granted access to any production systems. We conduct regular internal security awareness training to ensure all team members understand their obligations under the UK GDPR.

Business Continuity
Daily automated backups are enabled for Firestore with a Recovery Point Objective (RPO) of 24 hours.

Incident Response
In the event of a suspected breach, our policy is to revoke all active API keys, notify affected customers within 72 hours, and provide a full post-mortem report.

Data Subject Rights & Assistance Project Paced is committed to helping you fulfil your obligations under Data Protection Laws.

  • Manual Requests: Users may exercise their rights (access, rectification, or erasure) by contacting us at security@projectpaced.com.
  • Response Time: As the Processor, we will provide you with the necessary data to respond to a valid request without undue delay, typically within 30 days.
  • Verification: To protect user privacy, we will require reasonable proof of identity before processing any data access or deletion request.

Vulnerability Management We perform continuous dependency scanning using Aikido Security to identify and patch security flaws in our code and third-party libraries.

Data Deletion
User account deletion is handled via automated Cloud Functions that:

  1. Immediately delete user-generated content (timelines, milestones, uploaded files)
  2. Remove the Firebase Authentication account
  3. Pseudonymise financial records for tax compliance (retaining transaction data for 6 years as required by HMRC)
  4. Mark the Stripe customer record as deleted (Stripe maintains their own 7-year retention for PCI-DSS compliance)

7. Privacy-First Observability & Data Masking

Project Paced prioritises user privacy by implementing "Private by Default" configurations for all session recording and error monitoring activities. We employ aggressive client-side masking techniques to ensure that sensitive Personally Identifiable Information (PII) is redacted before it ever leaves the user's browser.

Client-Side Redaction: Our Session Replay SDK is configured to automatically mask all HTML text nodes, user input fields, and media elements (images, videos, etc.) at the source. Redacted content is replaced with asterisks (***) or static placeholders, ensuring that the original data is never transmitted to or stored on our servers.

Regulatory Compliance: These controls are designed to align with strict regulatory frameworks, including GDPR, CCPA, and ISO 27001 (Annex A 8.11) regarding pseudonymisation and data masking.

Network Privacy: To prevent the accidental capture of PII in API communications, we have disabled the recording of network request and response bodies.

Security Accountability: All telemetry data is encrypted both in transit (TLS) and at rest (AES-256), and access to this data is strictly limited to authorised administrators via Multi-Factor Authentication (MFA).

Data Minimisation: We only collect the structural DOM changes necessary to reproduce technical errors; we have no business or technical requirement to see the actual data our customers are inputting into the platform.

Summary

Project Paced combines enterprise-grade infrastructure with intelligent automation to deliver a secure, compliant, and highly available platform. Our architecture leverages Google Cloud Platform's world-class security controls, while our operational practices ensure continuous monitoring, proactive vulnerability management, and transparent incident response.

For questions regarding this security whitepaper, please contact: security@projectpaced.com