Skip to main content
RobinReturn
Start a case £2
Security

What protects
the work.

The marketing surface has no PII and no auth. The SaaS at app.robinreturn.co.uk does, and it is the same regulated boundary your invoice and debtor data lives behind.

Transport & browser

Encrypted, isolated, locked down.

I
HTTPS everywhere
Every request to www.robinreturn.co.uk and app.robinreturn.co.uk is encrypted with TLS 1.2 or higher. Plain-HTTP requests are 301-redirected to HTTPS at the edge.
II
HSTS preloaded
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload is served on every response. Browsers refuse to make plain-HTTP requests to either host even on a typo'd URL.
III
Strict CSP
Content-Security-Policy locks the marketing site to 'self' + an explicit allow-list of consent-gated analytics origins. Inline scripts use 'unsafe-inline' only for JSON-LD blocks and the small consent-mode bootstrap. No third-party iframes; frame-ancestors 'none' blocks framing.
IV
Same-origin isolation
Cross-Origin-Opener-Policy: same-origin and X-Frame-Options: DENY. Access-Control-Allow-Origin is pinned to the canonical origin — no wildcard CORS.
Sub-processors

The third parties that help run the platform.

Each entry is a data processor or sub-processor under UK GDPR. The data they touch and the legal basis is set out in the privacy notice; this page is the same list in a one-glance shape.

  • CloudflareDNS · DDoS protection · CDN · TLS termination · Pages hosting (marketing site)Global anycast
  • Hetzner CloudServer infrastructure (SaaS app, analytics)European Union (Germany / Finland)
  • ClerkAuthentication for the SaaSUS (data residency option in roadmap)
  • StripePayment processing for the SaaSEU / UK / US (Stripe's standard regional model)
  • ResendTransactional email delivery from the SaaSEU
  • MigaduMailbox hosting for @robinreturn.co.uk addressesSwitzerland
  • Cloudflare R2Object storage (PDFs, evidence packs)EU
  • OpenPanel (self-hosted)Web analytics — visitor events, no PIIHetzner / Germany
  • SentryFrontend error monitoring (legitimate interest)EU (Frankfurt)
Reporting a vulnerability

Found a hole? Tell us.

We follow RFC 9116. The canonical disclosure contact lives at /.well-known/security.txt and routes to security@robinreturn.co.uk.

What we ask. Give us a clear, reproducible description of the issue and a sensible amount of time to fix it before publishing. We do not currently offer a paid bug bounty, but we will credit the reporter in the changelog at their preference.

What is out of scope. Denial-of-service testing, social engineering, physical attacks, attacks on third-party providers we depend on.