Trust & Security
Your data is yours. We protect it like our business depends on it — because it does.
Compliance & Certifications
SOC 2 Type 2
In ProgressIn progress with Vanta. Audit window underway, expected completion Q3 2026. The full report will be available under NDA on request.
GDPR & UK GDPR
ActiveSuply operates as a data processor for customer-uploaded shipment, sensor, and account data. Data is hosted in EU regions. Our DPA is available on request and is signed before any production data is processed.
ICO Registered
ActiveSuply is registered with the UK Information Commissioner's Office. This formally recognises Suply as a data processor under UK GDPR and confirms our obligations to UK-based customers and partners. Registration number available on request.
ISO 27001
In ProgressIn progress. Expected completion 2025. Not currently certified.
Data Ownership
Your data is yours.
Suply does not claim any rights to use, license, or repurpose customer data beyond the operation of the service.
You can leave at any time.
On termination, you can export all of your data in machine-readable formats (CSV, JSON). Suply deletes all customer data from production systems within 30 days of termination, and from backups within 90 days.
Your partners' access ends with yours.
When you terminate, any third parties you invited into shared records — surveyors, importers, underwriters — lose access at the same moment. No residual access. No archived copies.
Data Collection
We collect only what's needed to operate the service.
That's the full list. We don't collect anything else.
Hard limits
We never sell customer data. To anyone. Under any circumstances.
We never share customer-identified data with third parties without your written consent.
We never use customer data to train our own AI models or third-party AI models.
We never access your data outside operational requirements — incident response, customer-requested support, or legally required disclosure. All access is logged.
We never retain data after termination beyond the deletion windows above.
Permitted uses
Aggregated industry insights
We may produce anonymised insights — for example, seasonal claim-rate patterns by commodity, average dwell times at major ports, lane-level performance benchmarks. These are produced at a level of aggregation where individual customer activity cannot be identified or reverse-engineered. We use a defined anonymisation standard and document the threshold for any insight we publish.
Public network data
We may use generic carrier, vessel, route, and port performance data in our intelligence layer. This data is sourced from public AIS feeds, carrier APIs, and similar non-customer sources, and is available to all customers equally.
Customer stories and case studies
We may use explicitly-consented customer stories, quotes, and case studies in our marketing — only with written sign-off, and only with the level of detail you approve.
Artificial intelligence
Suply uses AI to generate parts of arrival reports, excursion analyses, claim pack narratives, and operational intelligence summaries. We are specific about how this works.
Provider
We use Anthropic's Claude through their enterprise API, on the no-training tier. Anthropic is contractually prohibited from training on data sent through our account. Data residency is governed by our enterprise agreement.
What goes to AI providers
Shipment metadata, environmental sensor readings, dwell phase information, and journey context — the operational data needed to produce a report.
What never goes to AI providers
Customer identity, partner contact details, account credentials, billing information, or anything outside the operational scope of producing the report.
No model training on customer data
Suply does not train its own foundational models on customer data. We do not fine-tune models on customer-identified data. Any internal model improvements are based on aggregated, anonymised feedback or synthetic data we generate ourselves.
Human-in-the-loop
AI-generated outputs are produced from your data but never used as the sole basis for an irreversible decision affecting your business without review. Reports are reviewed before they are issued. Claim packs are reviewed before they are filed.
Sub-processors
We use a small number of carefully selected sub-processors to operate the service. The current list is maintained at suply.co/sub-processors. We notify customers of changes 30 days in advance, and any customer can subscribe to the change feed.
Categories include: cloud infrastructure, database hosting, email and notification delivery, customer support tooling, error monitoring, analytics, and AI inference.
Security
Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Access control
Customer data is accessible only to a defined set of Suply employees on a need-to-know basis. All production access is logged and reviewed monthly.
Authentication
All Suply employee accounts require single sign-on with multi-factor authentication. Customer accounts support SSO and MFA on request.
Audit logging
All data access — by Suply employees, by customers, by invited partners — is logged. Customers can request their own audit logs at any time.
Incident response
We maintain a documented incident response plan. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of confirmation, in line with GDPR requirements.
Vendor security
Every sub-processor is reviewed before onboarding for their own security posture, certifications, and data handling practices.
Employee training
All Suply employees complete security and data handling training on hire and annually thereafter.
Security research
Reporting a vulnerability
If you believe you've found a security vulnerability in Suply, please email security@suply.ai. We respond to all reports within 48 hours and work in good faith with researchers who report responsibly.
Contact
Suply Ltd is registered in England and Wales. Registered office: 20 Wenlock Road, London N1 7GU.