Everything procurement, security, and data-protection teams need to evaluate Foldr. Live links where the document is published. Available-on-request where it isn’t. On-the-roadmap where work is in progress, with no fake dates.
Last updated 2026-05-07
How Minnow IT collects and uses personal data on the marketing site and in Foldr SaaS, including international transfers and your rights under UK and EU GDPR.
Every cookie and item of browser storage we use, with name, purpose, and lifetime. No analytics or advertising trackers.
Article 28 contract with Annex 1 (parties and processing), Annex 2 (Technical and Organisational Measures), Annex 3 (Sub-processor reference), and Annex 4 (EU SCCs and UK IDTA). Sent in editable form for redline.
Current third parties that may process Customer Personal Data, with named entities, regions, and transfer safeguards. AI page covers the Bedrock-invoking-Anthropic-Claude routing for Grace, Captur, and mash.grace.*, and the EU AI Act Article 50 self-classification.
Article 30 register summary covering processing as Controller (visitors, leads, billing contacts, employees) and as Processor (Foldr SaaS Customer instances).
Drafted. Will be linked publicly once it is referenced from the master services agreement; until then it forms part of the contract sent at signing.
Authentication, encryption, hosting, and audit. Plain description, no marketing-speak.
Scope, response targets (acknowledgement in 5 working days, triage in 10), safe-harbour, and coordinated disclosure with our Sub-processors.
RFC 9116 contact file at /.well-known/security.txt. Annual Expires stamp; no PGP key, plaintext over TLS.
Recovery objectives (RTO 24 hours, RPO 24 hours), backup retention, encryption, and our DR test approach.
Minnow IT Ltd is registered with the UK Information Commissioner’s Office under registration number Z3317461. Public entry searchable at the ICO.
Minnow IT Ltd, company number 07970411, registered in England and Wales. Registered office: Bristol and Bath Science Park, Dirac Crescent, Bristol BS16 6TH.
Our control framework is mapped to the ISO/IEC 27001 Annex A taxonomy today. SOC 2 Type II first report and ISO 27001 certification are on the roadmap. We will not paste a logo we have not earned.
Most recent third-party penetration test summary, redacted, plus our standard buyer due-diligence questionnaire response (CAIQ Lite or SIG Lite, whichever you use).
Foldr SaaS data is processed in the United Kingdom and the European Union by default, on infrastructure operated by us. AI traffic uses an Amazon Bedrock inference profile that routes to AWS regions worldwide by default; enterprise Customers can opt into an EU-only Bedrock profile that keeps invocations inside the EU and EEA. The full sub-processor list with named entities and regions is sent on request.
| What | Where | Transfer safeguard |
|---|---|---|
| Application compute, managed MySQL, managed Valkey cache | Vultr, London (LHR), United Kingdom | In-region; ISO 27001 / SOC 2 (Vultr). |
| Object storage for media, thumbnails, preview cache | Vultr, Amsterdam (AMS), Netherlands | EU SCCs in the Vultr DPA. UK Vultr region migration in progress. |
| Transactional email and Inbox ingestion (SES, S3, SNS) | AWS, eu-west-2 (London), United Kingdom | In-region; AWS GDPR DPA. |
| AI gateway (Amazon Bedrock invoking Anthropic Claude) | AWS, us-east-1 by default; eu-west-2 source with EU-only destinations on enterprise contracts | EU SCCs and UK IDTA in the AWS GDPR DPA. Bedrock service terms confirm prompts are not used to train any model and are not shared with the model provider. |
| OCR (Amazon Textract) when enabled | AWS, eu-west-2 (London), United Kingdom by default | In-region; AWS GDPR DPA. |
| Operational telemetry (logs, metrics, traces) | Grafana Cloud, US stack | EU SCCs and UK IDTA in the Grafana Labs DPA. |
| Customer support ticketing | Zendesk, United States with EU data hosting available | EU SCCs and UK IDTA in the Zendesk MSA. |
Customer-controlled storage backends (SMB, FTP, SFTP, WebDAV, Amazon S3, Azure Blob, Microsoft 365, Google Workspace, Dropbox, Backblaze B2, and others) are processed in whichever region the Customer has configured. Those endpoints are governed by the Customer’s own contract with the upstream provider.
Terms covering the marketing site and free-tier Foldr SaaS. Paid SaaS subscriptions and Appliance licences are governed by a separate written agreement.
The signed contract under which paid Customers receive the Service. Includes the Acceptable Use Policy and points at this Trust Centre and the DPA.
All three route to the same monitored inbox; pick the alias that matches the topic.
Subject access requests, sub-processor enquiries, DPA negotiation, and anything covered by this page.
Vulnerability reports and security questions covered by the Vulnerability Disclosure Policy.
Reports about content or activity hosted by a Foldr Customer that you believe is abusive, illegal, or violates our Acceptable Use Policy.
