MoleculeoMoleculeo
SolutionMatchmakersContact
LoginSign Up

Security

Introduction and scope

This page describes how Moleculeo protects the confidentiality, integrity, and availability of our systems and the data we process. It is intended for users, customers, and partners who want a clear picture of our security practices.

This security overview works in tandem with our Privacy and Cookies Policy. The privacy policy explains what personal data we collect, how we use it, your rights, and how we handle data in line with UK law. This page focuses on the technical and organizational measures we use to keep that data and our services secure for the primary reference.

We may update this page from time to time to reflect changes in our practices or in the threat landscape. We encourage you to review it periodically. The practices described here apply to our website and the services we offer through it.

Our security commitment

Security is integral to how we design, build, and operate Moleculeo. We are committed to:

  • Protecting the data you entrust to us against unauthorized access, loss, alteration, or disclosure.
  • Maintaining the availability and reliability of our services so that you can use them when you need to.
  • Operating in compliance with applicable law, including UK data protection law, and cooperating with regulators where required.
  • Being transparent about our security approach at a level that helps you make informed decisions, without exposing details that could weaken our defences.
  • Responding promptly and responsibly to security incidents and to reports from users and security researchers.

We do not disclose specific technical implementation details, architecture diagrams, or internal procedures that could assist an attacker. The descriptions below are intended to give you confidence in our posture while preserving the security of our systems.

Secure development practices

We treat security as a core part of the software development lifecycle. Our approach includes the following principles:

  • Security by design: Security considerations are incorporated from the earliest stages of design and requirements, so that we identify and address risks before code is written.
  • Secure coding: We follow secure coding practices and guidelines to reduce common vulnerabilities such as injection, broken authentication, or sensitive data exposure.
  • Code review: Changes to our systems are reviewed before they are deployed, with attention to both functionality and security implications.
  • Testing: We use a combination of automated and manual testing to detect defects and security issues before release.
  • Dependency management: We track the components and libraries we use, assess them for known vulnerabilities regularly, and update or replace them when necessary.
  • Deployment controls: Deployments are controlled and auditable, so that only authorized changes reach production and we can trace what was changed and when.

Personnel involved in developing or operating our systems are expected to follow internal security policies and to complete relevant training.

Infrastructure and hosting security

Our services run on infrastructure that we configure and maintain with security in mind. Although we do not publish details of our hosting providers or exact architecture, we apply the following types of controls:

  • Physical and environmental security: Our infrastructure is hosted in environments with appropriate physical access controls, environmental protections, and resilience measures.
  • Hardening: Systems are configured according to security best practices, including removal or restriction of unnecessary services, strong configuration management, and timely application of security updates.
  • Segmentation: We use network and logical segmentation to limit the impact of a compromise and to separate sensitive data and functions from less critical components.
  • Availability: We aim to maintain high availability through redundancy, monitoring, and incident response procedures.

We do not disclose the geographic location of our primary or backup infrastructure beyond what is stated in our privacy policy regarding international transfers, so as not to assist targeted attacks.

Data protection and encryption

Protecting data at rest and in transit is a priority. Our approach aligns with our Privacy and Cookies Policy, which describes what data we collect and how we use it. From a security perspective, we apply the following:

  • Encryption in transit: Data exchanged between your device and our systems is encrypted using industry-standard protocols. This helps prevent eavesdropping and tampering while data is on the network.
  • Encryption at rest: Where appropriate, we use encryption to protect stored data, so that even if storage media or backups were accessed without authorization, the data would not be readable without the appropriate keys.
  • Data minimization: We collect and retain only the data necessary for the purposes described in our Privacy and Cookies Policy, which reduces the scope of data that could be exposed in a breach.
  • Access to data: Access to personal and sensitive data is restricted to individuals who need it for their role, and access is logged and reviewed.

We do not describe the specific encryption algorithms, key lengths, or key management procedures we use, as that could assist an attacker in planning an attack.

Access control and authentication

Controlling who can access our systems and your data is fundamental to our security posture. We apply the following principles:

  • User authentication: Access to your account is protected by authentication mechanisms designed to ensure that only you (or someone with valid credentials) can access your data. We encourage you to use a strong, unique password and to keep your credentials confidential.
  • Privileged access: Access to our internal systems and administrative functions is restricted to authorized personnel and is subject to additional controls, including stronger authentication (e.g. 2FA) where appropriate.
  • Principle of least privilege: Users and processes are granted only the access rights necessary to perform their role. Access is reviewed periodically and revoked when no longer needed.
  • Separation of duties: Where appropriate, we separate functions so that no single person can complete sensitive operations alone, reducing the risk of fraud or error.

We do not disclose the exact authentication methods, password policies, or internal access control systems we use, to avoid giving attackers a roadmap for credential theft or privilege escalation.

Network security

We protect our networks and the traffic that flows to and from our services. Our approach includes:

  • Encrypted connections: We use strong encryption for connections between clients and our services, so that data cannot be read or modified in transit by third parties.
  • Perimeter and internal controls: We use network-level controls to restrict which traffic can reach our systems and to limit lateral movement in the event of a compromise.
  • DDoS mitigation: We take steps to mitigate distributed denial-of-service and other availability attacks, so that our services remain accessible under attack.

We do not publish details of our network topology, firewall rules, or specific mitigation providers, as that could aid attackers in planning an attack.

Monitoring, logging, and detection

We monitor our systems and logs to detect and respond to security events. Our approach includes:

  • Logging: We maintain logs of security-relevant events, including access to systems and data, configuration changes, and indicators of malicious or anomalous activity.
  • Monitoring: We monitor our infrastructure and applications for signs of compromise, misuse, or failure, so that we can respond quickly.
  • Retention: For our approach to retention of personal data, see our Privacy and Cookies Policy. Log retention for security purposes is aligned with our legal and operational obligations.
  • Integrity: We take steps to protect logs from tampering and unauthorized access, so that they remain reliable for investigation and potential legal or regulatory use.

We do not disclose the specific tools we use for monitoring or the exact criteria we use to alert on security events, as that could help an attacker evade detection.

Incident response

We have procedures in place to respond to security incidents in a structured way. Our approach includes:

  • Detection and analysis: We aim to detect incidents quickly through monitoring, user reports, and other channels, and to assess the scope and impact of any incident.
  • Containment and eradication: We take steps to contain the incident (e.g. isolating affected systems) and to remove the cause (e.g. revoking compromised credentials or patching vulnerabilities) so that the incident does not escalate or recur.
  • Recovery: We work to restore normal operations and to verify that systems are secure before considering the incident closed.
  • Post-incident review: After significant incidents, we review what happened and what we can do to reduce the likelihood or impact of similar events in the future.

For our commitments regarding breach notification (including notification to the ICO and to affected individuals), see our Privacy and Cookies Policy. We do not disclose our internal incident response playbooks or escalation procedures, as that could assist an attacker in timing or shaping an attack.

Third-party and supply chain security

We work with third-party providers for hosting, analytics, payment processing, and other functions. As described in our Privacy and Cookies Policy, when we share personal data with third parties, we ensure that it is done in compliance with the law and with appropriate safeguards. From a security perspective, we:

  • Evaluate the security posture of providers that handle our data or our systems, to the extent we can do so through contracts, questionnaires, or publicly available information.
  • Use contracts to require that third parties protect data appropriately, use it only for the purposes we specify, and notify us of security incidents that affect our data.
  • Limit the data and access we give to third parties to what is necessary for the service they provide.
  • Monitor and review our third-party relationships so that we can respond if a provider's security posture changes or if an incident occurs.

We do not publish a list of our subprocessors or vendors, as that could expose our supply chain to targeted attacks. If you have a specific need to know about subprocessors (for example, under a data processing agreement), please contact us.

Personnel and organizational security

People are a critical part of our security. We take the following approach:

  • Training: Personnel with access to our systems or data receive training on security policies, secure behaviour, and how to recognize and report security issues.
  • Confidentiality and accountability: Our team members are bound by confidentiality obligations and are expected to handle data and systems in line with our policies.
  • Access management: Access to systems and data is granted based on role and need, and is removed when someone leaves or changes role.
  • Culture: We encourage a culture where security concerns can be raised without fear of blame, so that we can address issues early.

We do not disclose our internal hiring, background check, or disciplinary procedures, as that is private to our organization.

Compliance and legal obligations

We operate in accordance with applicable law, including UK data protection law. As set out in our Privacy and Cookies Policy, we process personal data in line with the UK GDPR and the Data Protection Act 2018 where applicable, and we cooperate with the ICO where required.

Where we are subject to other legal or regulatory requirements (for example, in specific sectors or jurisdictions), we aim to comply with them. If you have questions about compliance in a particular context, please contact us.

Security updates and vulnerability management

We keep our systems updated to address known vulnerabilities. Our approach includes tracking security advisories for the components we use, assessing the relevance and severity of vulnerabilities to our environment, and applying patches or mitigations in a timely manner. We prioritize critical and high-severity issues that could lead to unauthorized access or data loss. We do not publish our exact patching timelines or internal vulnerability scoring, as that could help attackers prioritize which vulnerabilities to exploit.

If you become aware of a security vulnerability in our services, we ask that you report it to us responsibly (see “Responsible disclosure and security contact” below) rather than exploiting it or disclosing it publicly before we have had a chance to address it.

Responsible disclosure and security contact

We welcome reports of security vulnerabilities or concerns from users and security researchers. If you believe you have found a security issue affecting our website or services, please report it to us at hello@moleculeo.com. You may use the subject line “Security report” or “Vulnerability report” to help us route your message quickly.

We ask that you:

  • Provide a clear description of the issue and, if possible, steps to reproduce it, so that we can verify and fix it.
  • Avoid exploiting the vulnerability beyond what is necessary to demonstrate it (e.g. do not access, modify, or delete data that is not your own).
  • Give us a reasonable time to address the issue before disclosing it publicly or to third parties.

We will acknowledge your report and will work to assess and address valid issues. We may contact you for clarification. We do not operate a formal bug bounty programme or promise rewards, but we appreciate responsible disclosure and will respond in good faith. We may recognize researchers who help us improve our security, subject to their consent and our internal policies.

For general data protection enquiries, rights requests, or complaints about how we process your data, please also use hello@moleculeo.com, as set out in our Privacy and Cookies Policy.

Updates to this page

We may update this security overview from time to time to reflect changes in our practices, our services, or the regulatory or threat environment. The date of the last substantive update is not published here to avoid implying that the page is static between changes; we encourage you to check back periodically. Continued use of our website and services after changes constitutes acceptance of the updated content to the extent permitted by law. For material changes that affect how we process your personal data, our Privacy and Cookies Policy and any consent mechanisms will apply as described there.

Contact

Moleculeo Ltd operates this website. Our registered address is Bentinck House, Bentinck Road, West Drayton, Middlesex UB7 7RQ. For security-related enquiries, data protection matters, or general contact, you can reach us at hello@moleculeo.com.