Security at Music Intel.

All traffic between you and our services is encrypted in transit using TLS 1.2 or 1.3. HSTS is enforced on the app domain.

Customer data and operational databases are encrypted at rest using disk-level encryption on the underlying hosts. Access tokens for connected platforms (OAuth: Meta, Google, Spotify) are encrypted with a separate key before being written to the database.

Primary hosting is in the UK and EU. Production infrastructure runs on managed Linux hosts under our own administration; we do not co-mingle customer data on shared multi-tenant SaaS where avoidable.

Any cross-border transfer (e.g. CDN edge nodes outside the UK or EU) uses appropriate safeguards: the UK International Data Transfer Addendum, Standard Contractual Clauses, and a transfer risk assessment for each subprocessor.

Subprocessor list and DPA are available on request: legal@musicintel.co.uk.

Production access is role-based, with least-privilege as the default. Admin actions are logged. Production credentials are rotated on schedule and on-event (departure, suspected exposure, key compromise).

No single person can unilaterally access raw customer data without the action being logged.

We minimise. The corporate site does not run third-party tracking pixels. The Musicata platform does not store full IPs longer than necessary for the operation that captured them; visitor records are aggregated within 30 days.

We do not sell customer data. We do not share customer data between tenants. We never train external machine-learning models on customer data.

Full breakdown: Privacy Policy.

If you have found a security issue, please tell us before disclosing publicly. Email security@musicintel.co.uk.

Our security.txt file follows RFC 9116 and lists the same contact.

We do not currently run a paid bug-bounty programme. We will acknowledge responsible disclosures and credit researchers on request.

Customers are notified of any incident affecting their data within the timeframes required by UK GDPR (72 hours for personal-data breaches to the ICO; without undue delay to data subjects where required).

Operational incidents (outages, degraded service) are communicated by email to active customers. We do not yet run a public status page; this is on our 2026 roadmap.

We are early-stage. We are not yet certified to ISO 27001. We are not yet certified to SOC 2. We are working towards Cyber Essentials (UK government-backed assurance scheme) as the first formal milestone.

If your procurement process requires a specific certification we do not yet hold, write to us. In several cases we have been able to satisfy the underlying requirement with documented practice plus contractual safeguards.