How we protect your project data
Buyers share drawings, specifications and commercial information through Industrial Connected. Suppliers share certifications, capacity data and credentials. This page describes the controls that are in place today to keep that data confidential, available and under the right people's control.
This page is maintained by Industrial Connected. It describes platform controls that are currently enabled. It is not a third-party audit, certification or attestation.
Encryption
- In transit. All connections to industrialconnected.com, the application and the API use TLS 1.2 or higher. HTTPS is enforced; plaintext HTTP is redirected.
- At rest. The database, file storage and backups are encrypted using AES-256 at the storage layer by our cloud infrastructure provider. Encryption keys are managed by the provider and rotated to the provider's published schedule.
- Files. Uploaded drawings, attachments, case study media, certifications and other files are stored in private buckets. They are never served from a public URL. Authorised users receive short-lived signed links generated on demand.
Authentication and account access
- Two-factor authentication. All users can enrol an authenticator app (TOTP) and download backup codes from their Security settings.
- Mandatory for admins. Industrial Connected staff with admin roles must have two-factor authentication enrolled before they can reach any administrative area of the platform. The gate runs server-side on every navigation.
- Password hygiene. Minimum length and complexity are enforced, and passwords are checked against the Have I Been Pwned breached-password list at sign-up and on change.
- Session management. Sessions are bound to a device cookie, refreshed automatically and revoked on sign-out. Trusted devices can be reviewed and removed from Security settings.
- Email change and password reset require verification codes delivered to the address on file and, where set up, to the user's authenticator.
Access control and isolation
- Row-level security. Every database table that contains user data has row-level security enabled. Policies are written so that a query can only return rows the signed-in user is entitled to see, even if application code has a bug.
- Least privilege. The application connects to the database with a role that has no access to administrative tables, secrets or other tenants' data. Privileged operations (for example: support actions, billing reconciliation) run server-side, are gated by role checks, and are written to an immutable audit log.
- Internal audit log. Every administrative action against a user account, project or supplier profile is recorded with the actor, action, target and timestamp.
Sensitive projects and supplier visibility
Engineering data is more sensitive than most platform content. Industrial Connected gives buyers and suppliers tools to control who sees what:
- NDA-gated briefs. A project can be set to require the platform's standard mutual NDA. Until a supplier e-signs it, they only see the summary; the full brief, attachments and contact details remain hidden.
- Auto-suggested for regulated sectors. When a buyer selects a sensitive industry (defence, aerospace, nuclear), NDA-gated visibility is turned on by default and a banner reminds them to use it.
- Per-supplier visibility tiers. Suppliers can mark parts of their profile (gallery, certifications, brochure, key clients) as private and require interested buyers to request access.
- Watermarked previews. Sensitive supplier assets are served through a watermark proxy so that screenshots and downloads are tied back to the specific viewer.
- Access logs. Every view of a sensitive asset, every NDA signature and every cross-party introduction is logged for audit by the asset owner.
Role separation
Roles are stored in a dedicated table, not on the user profile, so a buyer or supplier account cannot grant itself an admin role. The roles are:
- Buyer - posts projects, reviews supplier responses, manages NDAs.
- Supplier - manages a company profile, applies to projects, reads briefs once NDA-gated where required.
- Admin - Industrial Connected staff with two-factor enforced and every action audited.
Backups and resilience
- Daily database backups are taken automatically by our cloud infrastructure provider, with point-in-time recovery within the supported window.
- File storage is replicated by the provider to protect against single-disk and single-availability-zone failures.
- Restore drills. Backups are validated by spot-restoring into a non-production environment on a periodic basis.
Data we do not collect
- No third-party analytics (no Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, session replay).
- No advertising trackers.
- No payment card data stored on our servers. Card payments are handled by Stripe in their PCI-DSS environment; we only see a payment status and the last four digits.
See the Cookie Policy for the short list of first-party functional cookies we set.
Incident response and disclosure
We monitor application and infrastructure logs for unusual activity. If we identify a personal-data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
- Notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR.
- Notify the affected users directly with a description of the breach, its likely consequences and the steps we are taking.
- Provide a post-incident summary to enterprise buyers and suppliers on request.
If you believe you have found a security vulnerability in Industrial Connected, please report it to support@industrialconnected.com. We ask that you give us a reasonable period to investigate and remediate before any public disclosure, and we will credit researchers who report responsibly.
Procurement and supplier security questionnaires
We are happy to complete vendor security questionnaires for enterprise buyers and to share additional detail on infrastructure, retention periods and subprocessors under NDA. Contact us at support@industrialconnected.com with your requirements.
Version 1.0. Last updated 20 June 2026. See also our Privacy Policy, Terms and Conditions and Cookie Policy.