Security Statement

Updated 16/04/2021

Security Statement is part of TWENTY THOUSAND LEAGUES Ltd. This security statement will explain how we keep our infrastructure safe and reliable.

"End user" refers to public user of application hosted on a customer's website.

"Customer" refers to customer of

Data security

  • The core functionality of to display overlays is designed so we do not collect or store information on our servers in relation to how end users have navigated or interacted with a customer's website running the application. This data is non-identifiable and is only stored within local storage on the end user's device.
  • authorises access to its systems that store or process end user and customer data, based on the principle of least privilege (PoLP).
  • By default, does not collect any personally identifiable information about end users.
  • When additional lead capture functionality is utilised to collect personal information via native forms served within – end user's submitted data is encrypted at rest with 256 bit encryption and stored in databases based in the United Kingdom.
  • Any personally identifiable information or website interaction data captured and/or used by is not shared between customers.
  • Data connections to third party services such as Zapier authenticate using OAuth2 and all communications are over HTTPS using 4096-bit RSA keys.
  • Analytical reporting is supplied via customer's Google Analytics account, thus subject to Google's privacy terms, which can be found here.

Data retention

  • The end user's usage data recorded on customer's websites persists indefinitely on the user's device.
  • Data captured via forms is stored for up to 90 days after expiry of lead capture form, and can be deleted upon request.
  • Data at rest captured via native cues forms is encrypted with 256-bit encryption and stored within databases located within the United Kingdom.
  • Web server logs, which as standard contain a log of end user's IP addresses alongside the public file requested from our servers, are stored for 15 days and then permanently deleted.


  • runs in the cloud and does not manage its own routers, load balancers, DNS servers, or physical servers.
  • The servers leverage firewall protection within a secure VPN.
  • The majority of services are hosted on Digital Ocean and Amazon AWS infrastructure, both of which are based in the United Kingdom
  • Digital Ocean and Amazon AWS operate with best-in-class security processes. You can read about this for Digital Ocean here and Amazon AWS here.
  • Servers are backed up daily and the backups are encrypted.
  • All web application communications are made over HTTPS with certificates RSA-signed using 4096-bit RSA keys.
  • No public SSH is allowed and staff access to servers is based on PoLP.
  • infrastructure aims to achieve a 99.9% uptime. In the event of an outage, fails gracefully and does not impact customer website performance.

Organisational security

  • new employees and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are checked to ensure that they are competent and capable of fulfilling their responsibilities.
  • Access to infrastructure, repositories and code review tools are removed from terminated employees within 24 hours.
  • has formal guidelines for passwords used to access admin tools. Raw passwords are not stored on servers and are hashed with an algorithm that uses 256 bit encryption.
  • Employee access to admin systems where customer data such as configuration files related to the operation of the application can be viewed or edited is highly restricted, operating to the PoLP.

How to contact us

If you have any questions about this security statement, please do not hesitate to contact us below:

Email us at:

Call us: +44 (0)20 8050 1284

Or write to us at: 67 Church Road, Hove BN3 2BD

Ready to dive in?
Start your trial today.

30 day trials available