We use AWS (Amazon Web Services), the largest cloud-computing provider in the world. AWS provide the infrastructure and platform for our apps. They run on AWS EC2 instances (virtual servers), each connected to an RDS (database) and S3 storage.

Data is stored in the UK - we use AWS's Europe (London) region.

Databases are encrypted at rest (RSA-2048 encryption).

PDFs and backups held in storage are encrypted at rest.

Data is encrypted in transit (TLS).

Each set has its own dedicated database, held within a VPC (virtual private cloud) and accessible only by the set's own webapp.

Database backups are taken daily, weekly, monthly and yearly. These are held for 21 days, 4 weeks, 3 months and 1 year respectively. The weekly, monthly and yearly backups are held in full compliance WORM mode (i.e. they cannot be deleted by anyone until their retention period expires).

We do not expect any noticeable interruptions to the service. AWS guarantee 99.5% uptime, and maintenance by them will be scheduled for nighttime. Our own occasional code updates take only a few minutes and are done out of office hours.

We can set up login via Microsoft Entra ID (Microsoft's Identity and Access Management Service) for any set with an Entra ID account. This is convenient (SSO) and secure (MFA). Alternatively, straightforward password-based login is available, with rate-limit protection against brute force attacks.

The app itself uses an established and security-conscious web framework (Django), with numerous built-in security features.