STEMHQ

Security & Compliance

Built with UK GDPR and data protection in mind

This page sets out, in detail, how STEM handles tenant data, solicitor access, and the legal obligations behind them. For a plain-English summary, see how each product area works.

Operational security

Encryption in transit

All traffic to STEM is served over HTTPS with TLS 1.2/1.3.

Field-level encryption at rest

Sensitive fields such as National Insurance numbers are encrypted at the database field level, not just at the disk level.

Role-based access

Account types (self-landlord, letting agent, landlord client) scope what each user can see and do.

Tenant data isolation

Every query is scoped to the operator or agency organisation that owns the record.

Revocable solicitor access

Solicitor invitations can be revoked at any time; the access token is invalidated immediately.

Append-only audit trail

Solicitor portal activity - invites, DPA acceptance, case views, downloads, revocations - is logged and cannot be edited or deleted.

Solicitor data sharing: the legal context

UK GDPR and the Data Processing Agreement

GDPR Art. 28

Sharing a tenant's personal data with an external solicitor makes them a Data Processor under UK GDPR. Article 28 requires processing to be governed by a written contract setting out the subject matter, duration, nature, and purpose of the processing. STEM requires acceptance of a Data Processing Agreement before access is granted.

Data minimisation

GDPR Art. 5(1)(c)

UK GDPR Art. 5(1)(c) requires personal data to be limited to what is necessary for the purpose. Access is limited to the specific case pack associated with the instruction: no other tenants, properties, or financial data.

Accountability and the audit trail

GDPR Art. 5(2)

The accountability principle requires you, as Data Controller, to demonstrate compliance if challenged. STEM's solicitor access log is append-only and captures every event with a timestamp and IP address. If your data practices are ever queried, you have a complete record of what was accessed and when.

SRA registration and secure case sharing

SRA

Solicitors practising in England and Wales must be registered with the Solicitors Regulation Authority. Entering the SRA number at invite time lets you verify their registration at sra.org.uk before granting access. For possession proceedings requiring legal representation, STEM allows secure sharing of case documentation with authorised solicitors.

None of the above is a substitute for your own legal advice. STEM gives you the tools to share data securely and demonstrate compliance; whether your particular processing is lawful still depends on how you use it.