Trust Center

How ShiftCover365 keeps shift operations secure, accountable and transparent.

A factual overview of how the live platform handles authentication, data, payments and operational records — written for procurement, security and legal reviewers.

System operational· View status

01 — Overview

Platform trust overview

Operational accountability
Secure authentication
Audit logging
Workforce reliability monitoring
UK GDPR-aligned operations

02 — Subprocessors

Named subprocessors currently in use

These are the third-party services that help us operate ShiftCover365 today. We do not currently use any analytics, advertising or marketing processor.

Resend

Purpose
Transactional email delivery (account verification, password reset, welcome emails)
Region
United States
Data
Recipient email address, full name, message content
Reviewed
Feb 2026

Stripe

Purpose
Payment processing, saved payment-method tokens, branch billing
Region
United States (UK & EU regional processing)
Data
Stripe customer ID, payment-method ID, billing email
Reviewed
Feb 2026

Emergent

Purpose
Application hosting, infrastructure, object storage for profile photos
Region
Global cloud infrastructure
Data
Application traffic, profile photo binaries
Reviewed
Feb 2026

MongoDB

Purpose
Primary database storage for application records
Region
Managed cloud region
Data
User accounts, shifts, ratings, audit logs, accountability records
Reviewed
Feb 2026

03 — Security

Data security in practice

ShiftCover365 does not currently hold formal certifications (such as ISO 27001 or SOC 2). The controls below describe what is actually implemented today.

Password hashing

All passwords are stored as bcrypt hashes. Plain-text passwords are never logged or persisted.

JWT authentication

Sessions are signed JWTs (HS256, 24-hour expiry). Tokens live in browser local storage and are cleared on sign-out.

Role-based access control

Manager, worker and admin roles are enforced server-side on every protected endpoint.

Operational audit logging

Account creation, deletion, payment attempts and key shift state changes are recorded in tamper-evident system logs.

Encrypted payment handling

Card data is collected and stored exclusively by Stripe. ShiftCover365 only stores reference tokens, never card numbers.

04 — Transparency

Operational transparency

Soft-delete behaviour

When you delete your account, it is marked as deleted and sign-in is blocked. Operational records are retained where necessary for audit, dispute resolution, fraud prevention and legal obligations.

Operational retention

Shift records, ratings, accountability data, till checks, discrepancy reports and payment history are retained in full. Identifying personal data can be anonymised on a verified erasure request.

Support & admin access

A small number of authorised ShiftCover365 administrators may view operational data for support, fraud-prevention, dispute-resolution and platform-health purposes. All admin actions are logged.

05 — GDPR & Privacy

UK GDPR alignment

UK GDPR & DPA 2018

The platform is operated in line with the UK General Data Protection Regulation and the Data Protection Act 2018.

Lawful bases

Contract necessity, legitimate interests, legal obligation and consent — applied per processing activity.

Data subject requests

Access, correction, deletion, restriction, objection, portability and consent withdrawal. We respond within one month, in line with UK GDPR.

ICO complaint rights

You can complain to the UK Information Commissioner's Office at any time. We will cooperate fully with any formal inquiry.

06 — Status

System status

All systems operational

Live component health and incident history.

View live status

Security or procurement questions?

We respond to vendor reviews, DPIAs and supplier-security questionnaires from prospective branch partners.

Contact security