Security

Last updated: June 2026

Your rota holds real people's contact details and working patterns. We treat that as data worth protecting. Here is how we do it, in plain terms.

Encryption everywhere

All traffic runs over HTTPS (TLS). Data is encrypted in transit and at rest in our database. Card details are handled entirely by Stripe and never touch our servers.

Access control

Accounts are protected by authenticated sessions. Within a venue, owners and managers see what their role allows, and each business’s data is isolated from every other.

Trusted infrastructure

We build on Supabase and Vercel, hosted in UK and EU regions. We do not run our own servers, which removes a large class of patching and configuration risk.

Backups and recovery

The database is backed up automatically by our hosting provider, with point-in-time recovery available, so your rotas and team data can be restored if something goes wrong.

Least data, least sharing

We collect only what the Service needs and never sell personal data. A short list of vetted subprocessors is published openly.

Responsible disclosure

Found a security issue? Email us and we will investigate promptly. We welcome good-faith reports and will not pursue researchers who act responsibly.

Data location and transfers

Core data is hosted in UK and EU regions. Some subprocessors operate outside the UK; where that happens we rely on UK GDPR transfer safeguards such as Standard Contractual Clauses. The full list is on our Subprocessors page.

Report a vulnerability

Please email hello@batchstaff.com with details and steps to reproduce. We aim to acknowledge reports within two working days.

See also our Privacy Policy, DPA, and Trust centre.

Batch is a product of TeZe Ltd · company number 17137231 · 66 Paul Street, London, EC2A 4NA · ICO registration ZC134108 · VAT GB 517 9808 54. Cyber Essentials certification in progress.