Skip to content
⏵ pre-releaseHovermarks is in active development. Try the preview atappdev.hovermark.co.uk
Hovermarks

Security & trust

Built for compliance — including our own.

Multi-tenant isolation, Microsoft Entra SSO with Conditional Access MFA, encryption at rest and in transit, UK data residency, and GDPR-aligned processing.

UKAzure-nativeGDPR-alignedMicrosoft sign-in (Email OTP)Bring-your-own Entra SSO (PKCE)Conditional Access (MFA)

We treat security like a product feature, not a checkbox. Hovermarks is built on the same Azure primitives you'd use to run a regulated workload of your own.

The pillars of our trust posture

Each one is documented in our trust packet — available under NDA.

  • Multi-tenant isolation

    Every customer gets a logically isolated tenant. Tenant isolation is enforced through query filters that apply automatically to every database read, scoped to the authenticated tenant claim. Foundational tests fail loudly the moment a query forgets the tenant filter.

  • Microsoft Entra ID SSO

    Microsoft Entra ID with PKCE; per-tenant Conditional Access for MFA enforcement. No shared service accounts, no orphaned access.

  • Microsoft sign-in by default — MFA from day one

    Every user signs in with their Microsoft account (Email + a one-time code Microsoft sends them, via Entra External ID). No Hovermarks password to set or steal. Organisations on Professional and Enterprise can layer their own Entra Conditional Access on top to enforce MFA, device compliance, or trusted-network rules. MFA is enforced at sign-in by the identity provider (Microsoft Entra External ID for customers, Microsoft Entra ID for platform admins). Session integrity is verified on every API call via signed JWTs with short expiry.

  • Encryption at rest and in transit

    TLS 1.2+ in transit on every request. Encryption at rest via Microsoft-managed keys (Azure SQL TDE + Storage SSE), with strict per-tenant data isolation enforced at the application layer.

  • UK data residency

    All inspection data, photos, and signatures are stored in the UK. We never replicate primary data outside the UK without your explicit consent.

  • GDPR-aligned by design

    Soft-delete with 30-day restore window. Per-tenant data export to JSON. Hard-delete after retention with blob cleanup and a tamper-evident ledger entry. Customer data hosted in Azure UK South.

  • Tamper-evident audit log

    Every meaningful action — sign-in, asset edit, inspection submit, certificate export — is recorded with actor, timestamp, and IP, on an append-only log.

  • Responsible disclosure

    Found something? Email security@hovermark.co.uk. We acknowledge reports promptly and credit researchers who would like to be named.

FORM HVK-CTA-01 · v04signed: hovermark · uk

§ 99/Action

Stop chasing paperwork. Start proving compliance.

Hovermarks is in active development. Try the preview today, or drop your email and we'll let you know the moment we hit general availability.

Try the previewTalk to sales

§ 99.1/Waitlist

Notify me at general availability

One email when we go live. That's it.