How Saldo handles your data.

We comply with the UK GDPR and the EU GDPR. In Saldo’s operating model your agency is the data controller (you control what gets entered and how it is used) and Saldo is the data processor (we process the data only on your written instructions, set out in the DPA). We do not sell, share or repurpose customer data. The contractual basis is the order form plus the DPA.

• You own your data. Export and deletion are available on request and within the product.
• Right to be forgotten: deleting a person from the system removes their personal data and snapshots’ PII fields on a 30-day cycle.
• Subject access requests are answered within statutory deadlines (typically 30 days; can be extended for complex cases under Art. 12).

Saldo runs on Amazon Web Services (AWS), deployed to EU and UK regions. Customer data is stored on AWS infrastructure with full audit logging. Static assets and the public site are fronted by Cloudflare with UK IDTA in place for any non-EEA traffic.

• TLS 1.3 in transit; AES-256 at rest on storage volumes.
• Application-layer access via SSO with the customer’s identity provider on Enterprise tier; password + 2FA on Standard tier.
• Network segmentation between application, database and operational tooling. No production access from operational tooling.
• Daily encrypted backups with monthly restore tests; recovery point objective 24 hours, recovery time objective 4 hours.
• Centralised audit logging with 12-month retention. All production access is logged with named individuals; reviewed quarterly.

The Jira connection is read-only. Saldo never writes to your Jira instance, never modifies tickets, and never creates worklogs. We pull projects, issues, components, labels, epics and worklogs through the standard Jira REST API, using credentials your team controls and can revoke at any time.

The connection is established with a service account or OAuth token your administrator creates. We do not store user passwords. Tokens are encrypted at rest with per-customer keys.

Subscriptions on Standard (£2,499 / month or £23,990 / year) are billed in GBP through Stripe, the industry standard for online payment processing. Saldo does not store or directly process payment card information. Stripe is certified to PCI DSS Service Provider Level 1. Customers paying in EUR, USD or AUD see the converted amount on Stripe’s checkout at the live spot rate; settlement is in GBP.

Enterprise contracts (from £5,999 / month) can be invoiced via bank transfer in GBP, EUR or USD by agreement. Tax (VAT / sales tax) is calculated and added at checkout via Stripe Tax for the Standard tier; Enterprise invoices are issued tax-aware based on the order form.

Saldo is operated under UK GDPR and ICO registration obligations. Our internal control set is modelled on the SOC 2 Trust Services Criteria — encryption, access management, change control, monitoring, incident response — and is documented in the security questionnaire we send to customers on request.

A SOC 2 Type II audit is on the roadmap as Saldo scales into the Enterprise tier; we will start it when we have the steady-state operating volume to make the report meaningful. Until then, vendor due diligence is served by this Trust page, the DPA, and our questionnaire.

• UK GDPR / EU GDPR — compliant; ICO registered.
• SOC 2 Type II — on the roadmap (no date committed).
• Vendor security questionnaire (CAIQ-Lite or equivalent) — available on signed mutual NDA.

We use a small, named list of sub-processors. The list is part of the DPA and is updated with at least 30 days’ notice before any addition or change. Customers may object on reasonable grounds.

• Amazon Web Services (AWS) — primary cloud hosting and storage; EU and UK regions.
• Cloudflare, Inc. — CDN, DDoS protection, edge cache; UK IDTA in place.
• Stripe Payments UK Ltd — subscription billing.
• Postmark / SMTP provider — transactional and marketing email.
• Atlassian Pty Ltd — Jira API access (initiated by Customer; Saldo does not store Atlassian data centrally).

Saldo is operated by a UK limited company registered in England and Wales. The contractual jurisdiction is therefore England and Wales — a transparent, internationally recognised legal framework for B2B engagements. The verifiable details are below.

Legal entity

Franchise Family Ltd (trading as Saldo)

Company number

17179848 · England and Wales

Registered office

Stoney Works, 8 Stoney Lane, London SE19 3BD, United Kingdom

Contact

hello@saldo.team

Verify

Companies House  ↗

For security-related concerns, please email security@saldo.team with a description of the issue. We acknowledge security reports within one working day and aim to triage within five. Vulnerabilities reported in good faith are not pursued legally (responsible disclosure).

For all other questions, including requests for the security questionnaire or the latest sub-processor list, hello@saldo.team is the right address.