Data Security
1app.energy is designed for UK renewable homes, but it runs on managed cloud infrastructure. This page explains how credentials, hosting, payments and incident response are handled.
1. Encryption Standards
Credential encryption (AES-256)
Device credentials such as API keys and OAuth tokens are encrypted using industry-standard AES-256 encryption before storage. They are decrypted programmatically only when needed by our secure workers to perform an authorised read or control action, or to automatically refresh access tokens when they expire.
Browser, backend and provider traffic uses HTTPS/TLS where the service communicates over the internet. Provider APIs remain subject to each provider's own security model.
2. Infrastructure
Cloud providers
The production service uses Vercel for the public frontend, Railway for backend API, worker and Redis services, and Supabase for database and authentication.
Based on the latest production evidence we hold, the backend API, worker and Redis services run on Railway in an EU West region, and the Supabase database/auth project is in an EU Central region. The Vercel frontend may use global CDN and function infrastructure. For that reason, we do not describe 1app.energy as UK-only hosted.
3. What UK Designed Means
"UK Designed" means 1app.energy is built around UK homes, UK installers, UK tariffs and common UK solar, battery and EV setups. It does not mean every hosting provider, processor, analytics tool, backup, CDN node or connected vendor platform is physically located in the United Kingdom.
4. Access Controls
We use role-based access, service-side permission checks, production environment separation, secret redaction, rate limiting and audit logging. Engineers do not need routine access to raw device credentials to support the product.
5. Data Residency and Transfers
We prefer UK or European regions for core backend and database workloads where practical, but cloud services, analytics, payments, support tooling and connected-device providers may process data in other countries. Where data leaves the UK or EEA, we rely on appropriate transfer safeguards required by data-protection law, such as adequacy regulations, standard contractual clauses or provider data-processing terms.
6. Payment Security
Stripe processing
Paid checkout and customer-portal flows are handled by Stripe where billing is enabled. We do not store full card numbers in 1app.energy systems.
7. Audit Logs
We keep operational logs for support, abuse prevention, security investigations and device-control traceability. Customer-facing support views are designed to avoid exposing raw credentials or provider secrets.
8. Incident Response
We maintain an incident-response process for security and personal-data incidents. If a personal-data breach is likely to result in a risk to individuals' rights and freedoms, we will report it to the UK Information Commissioner's Office without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay.
9. Backups and Disaster Recovery
We maintain automated, encrypted backups of our core databases to ensure resilience and facilitate rapid disaster recovery. Backups are stored securely within our cloud providers' infrastructure and are regularly rotated.
10. Data Deletion and Scrubbing
Upon a valid account deletion request, your active credentials and personal data are permanently scrubbed from our active databases within 30 days. Residual data in immutable backups will naturally expire according to our standard backup rotation cycle.
11. Vulnerability Disclosure
We welcome responsible disclosure from security researchers. If you believe you have found a vulnerability, contact security@1app.energy. Do not access customer data, disrupt the service, run destructive tests, or attempt device-control actions on homes you do not own or administer.