Last updated 19 April 2026. Next review 19 July 2026.
TMGuard handles trademark monitoring data for small businesses and IP professionals. This page describes how we protect that data: the controls we have in place, how we think about risk, and how to reach us with questions or vulnerability reports. It is updated when our practices change and reviewed quarterly.
TMGuard runs on SOC 2 Type II certified hosting and database providers with EU data residency as the primary region. Payment processing is handled by a PCI-DSS Level 1 certified provider; we never store card data or handle it directly. Email delivery uses a GDPR-compliant transactional email provider.
Access to production infrastructure is restricted to authorised administrators with authentication controls appropriate to the sensitivity of the action.
Data is encrypted in transit using modern TLS. Transport security is enforced by HTTP Strict Transport Security with a long-duration policy, which instructs browsers never to connect over plain HTTP.
Data is encrypted at rest using industry-standard algorithms at the storage layer.
Passwords, where used, are protected with modern cryptographic hashing rather than reversible encryption or plaintext storage.
Content Security Policy is enforced site-wide with an allowlist of permitted sources for scripts, styles, images, and connections. Third-party analytics and payment processing are allowlisted; everything else is blocked.
User-visible content rendered from the database is sanitised before rendering, to prevent script injection.
Security headers are applied on every response: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Framing of TMGuard pages is disallowed by default.
Public API endpoints are rate-limited with tier-aware thresholds; authenticated endpoints enforce per-tenant limits scaled to subscription level.
Session tokens are short-lived and rotated when account credentials change. Administrative sessions have tighter lifetimes than customer sessions.
Tenant data isolation is enforced at the database query layer. Every customer-scoped query is filtered by tenant identity derived from the authenticated session, never from client-supplied input.
All administrative actions are logged to an append-only audit trail with actor, timestamp, action type, and affected resource.
Dependencies are reviewed monthly. High-severity vulnerabilities in direct or transitive dependencies are patched within one week of disclosure where upstream fixes are available.
Libraries without upstream security fixes are replaced or contained through compensating controls. Our production dependency audit is maintained at zero high-severity vulnerabilities.
TMGuard is registered with the UK Information Commissioner’s Office as a data controller. We operate under the UK GDPR and associated data protection regulations.
A Data Processing Agreement is available to B2B customers on request via security@tmguard.uk. We maintain an Article 30 Record of Processing Activities, and have conducted Data Protection Impact Assessments and Legitimate Interest Assessments for the processing activities that require them. Summaries are available to customers on request.
Sub-processors assist with hosting, database, payments, email, and AI-powered analysis of public trademark register data. The full list, including purposes and processing locations, is shared with B2B customers under DPA.
Customer data is retained for the duration of the subscription plus a short post-cancellation window. After that, it is permanently deleted unless legally required otherwise.
Customers may request data export or deletion at any time via privacy@tmguard.uk; requests are handled within statutory timeframes.
TMGuard maintains an incident response procedure covering detection, containment, remediation, and notification.
In the event of a confirmed breach involving personal data, affected customers are notified within the timeframe required by GDPR (72 hours for reportable incidents).
Material security incidents are logged; a public post-incident summary will be published where appropriate once remediation is complete.
We welcome security research into TMGuard. Vulnerabilities should be reported privately to security@tmguard.uk.
We commit to acknowledging reports within 48 hours and providing a status update within 7 days. Researchers who follow responsible disclosure are credited publicly (with permission) in our security change history.
A security.txt file is published at /.well-known/security.txt following RFC 9116.
Security page first published. Full internal security audit completed with all critical and high findings closed. Session handling hardened. Content Security Policy moved to enforce mode. Tier-aware rate limiting shipped. Dependency audit reduced to zero high-severity vulnerabilities. Security headers enforced site-wide.