Where is my data stored?

All customer data — conversations, file uploads, encryption keys, audit logs, and backups — is stored in the United Kingdom. LLM prompts are scrubbed by the SCRS Data Firewall before leaving UK infrastructure.

What encryption does Other Me use?

AES-256-GCM encryption at rest with per-document data encryption keys (DEKs) wrapped by key encryption keys (KEKs) held in UK KMS. TLS 1.3 for all data in transit.

Is Other Me GDPR compliant?

Yes. Other Me is fully compliant with UK GDPR and the Age Appropriate Design Code. SOC 2 Type II and ISO 27001 certifications are on our roadmap.

Trust Center — Security & Compliance | Other Me by Pop Hasta Labs

How SCRS protects your data

Every query passes through two cryptographic gates before any AI model sees your data. Blocked data never leaves the firewall.

Your Data

Conversations & Files

→

Encrypted Storage

AES-256-GCM

→

Gate 1 — Scope

Filter & Restrict

→

Gate 2 — Verify

Decrypt & Redact

→

AI Model

Clean prompt only

1

Gate 1: Scope Control

Controls what can be found. Applies tenant isolation, collection-level access, and label-based filtering before any retrieval occurs. Data outside the authorised scope is invisible to the query.

2

Gate 2: Verification

Controls what can be revealed. Performs re-verification of access rights, decrypts only authorised documents, runs integrity checks, and redacts PII before the prompt reaches the AI model.

Blocked data never reaches the AI model

Your data stays in the United Kingdom

Every byte of customer data is stored and processed within UK infrastructure. No exceptions.

Data Type	Location
Conversations	🇬🇧 United Kingdom
File uploads	🇬🇧 United Kingdom
Encryption keys	🇬🇧 UK KMS
Audit logs	🇬🇧 United Kingdom
Backups	🇬🇧 United Kingdom

LLM inference: Prompts are scrubbed by the SCRS Data Firewall (PII redaction, scope enforcement) before leaving UK infrastructure. No raw customer data is transmitted to model providers.

Encrypted at rest, in transit, and in use

Three layers of protection ensure your data is never exposed at any stage of the pipeline.

At Rest

✓ AES-256-GCM encryption
✓ Per-document Data Encryption Key (DEK)
✓ Key Encryption Key (KEK) held in UK KMS
✓ Tamper-evident integrity hashes

In Transit

✓ TLS 1.3 on all connections
✓ HSTS enforced
✓ Certificate pinning on API endpoints
✓ No data sent over unencrypted channels

In Use

✓ PII redacted before AI processing
✓ Scope-filtered retrieval
✓ No raw data in LLM prompts
✓ Redaction map for rehydration

Kill Switch

Enterprise administrators can instantly revoke all encryption keys for their organisation, rendering stored data cryptographically inaccessible. This is a one-click action available from the enterprise dashboard at any time.

Compliance & Certifications

Where we stand today and where we're heading.

Framework	Status
UK GDPR	Compliant
Age Appropriate Design Code	Compliant
SOC 2 Type II	On roadmap — Q4 2026
ISO 27001	On roadmap — 2027
Cyber Essentials	In progress
EU AI Act	Monitoring

Subprocessors

A complete list of third parties that process customer data on our behalf.

Subprocessor	Purpose	Data Processed	Location
Heroku (Salesforce)	Infrastructure hosting	All platform data	EU (Ireland)
Heroku Postgres	Database hosting	All personal data	EU (Ireland)
Heroku Redis	Session caching, WebSocket channels	Session tokens, chat state	EU (Ireland)
Cloudinary	Media storage	Profile images, uploaded files	EU
Mailgun (Sinch)	Transactional email	Email addresses, OTP codes	EU
Revolut	Payment processing	Billing details, card tokens	UK / EU
OpenAI	LLM inference	Chat prompts (SCRS-redacted)	US
Anthropic	LLM inference	Chat prompts (SCRS-redacted)	US
Google (Gemini)	LLM inference	Chat prompts (SCRS-redacted)	US
xAI (Grok)	LLM inference	Chat prompts (SCRS-redacted)	US

All LLM providers receive SCRS-redacted prompts only. PII is pseudonymised before transmission.

International transfers: For US-based LLM providers, prompts are processed through the SCRS Data Firewall which pseudonymises all PII before transmission. We are pursuing Standard Contractual Clauses (SCCs) with each provider.

Contractual training prohibition: All LLM provider contracts include explicit clauses prohibiting the use of customer data for model training. SCRS-scrubbed prompts contain no raw PII or proprietary content.