Security & trust

How we host, secure and handle your data.

This page is maintained by Sovereign Macro Lens (a trading name of Acacia Commerce Ltd) to answer the security, privacy and operational questions institutional buyers routinely ask before engaging an independent research provider. It describes current practice; it is not an independent certification.

Controls

What we have in place today

Hosting & network

The website and research portal are hosted on Cloudflare's global edge network. TLS 1.2+ is enforced on all public endpoints, HSTS is set, and origin traffic is served over HTTPS only.

Data storage

Application data (accounts, orders, subscription state) is stored in a managed Postgres database with encryption at rest and in transit. Research PDFs are stored in encrypted object storage with signed, expiring download URLs.

Access control

Administrative access requires SSO with strong password + MFA. Access follows least-privilege by role, is logged, and is reviewed quarterly. Production credentials are stored in an encrypted secret manager, never in code.

Software supply chain

Application source is version-controlled. Dependencies are automatically scanned for known vulnerabilities on every change. Production deploys go through code review before release.

Backups & continuity

The primary database is backed up daily with 30-day point-in-time recovery. Research archives are replicated across regions. Business continuity assumes the founder as key person and is documented in our BCP, available on request.

Monitoring

Application errors, authentication anomalies and unusual download patterns are monitored. Alerts are routed to the founder within business hours and on-call outside them.

Sub-processors

Third parties that process data

We use a small number of established sub-processors to run the business. This list is current at the date shown below and will be updated when it changes.

Sub-processorPurposeRegion
Cloudflare, Inc.Edge hosting, DNS, DDoS protectionGlobal
Supabase (managed Postgres, storage, auth)Application database, file storage, authenticationEU (Frankfurt)
Stripe Payments Europe, Ltd.Payment processing & invoicing (if enabled)EU / global
Google WorkspaceBusiness email & document collaborationEU / global
Fathom / privacy-first analyticsAggregate, cookieless site analyticsEU

List current as of 2026-01-01

Data processing agreement

DPA on request

Institutional clients that require a signed Data Processing Agreement, with UK International Data Transfer Agreement / EU Standard Contractual Clauses, can request our template. We can typically return a signed DPA within five business days.

Request DPA
Incident & vulnerability contact

Report a security concern

Suspected vulnerabilities, data-exposure concerns and incident notifications should be sent to the address below. We aim to acknowledge within one business day.

security@macrolens.com
Certifications

Where we stand today

We do not currently hold SOC 2 or ISO 27001 certification. As a small independent research provider, we rely on the certifications maintained by our sub-processors (Cloudflare, Supabase, Stripe, Google Workspace) and on the controls described above. We will update this section as our own certification programme progresses.