Security & Compliance
Built with UK GDPR and data protection in mind
This page sets out, in detail, how STEM handles tenant data, solicitor access, and the legal obligations behind them. For a plain-English summary, see how each product area works.
Operational security
Encryption in transit
All traffic to STEM is served over HTTPS with TLS 1.2/1.3.
Field-level encryption at rest
Sensitive fields such as National Insurance numbers are encrypted at the database field level, not just at the disk level.
Role-based access
Account types (self-landlord, letting agent, landlord client) scope what each user can see and do.
Tenant data isolation
Every query is scoped to the operator or agency organisation that owns the record.
Revocable solicitor access
Solicitor invitations can be revoked at any time; the access token is invalidated immediately.
Append-only audit trail
Solicitor portal activity - invites, DPA acceptance, case views, downloads, revocations - is logged and cannot be edited or deleted.
Solicitor data sharing: the legal context
UK GDPR and the Data Processing Agreement
GDPR Art. 28Sharing a tenant's personal data with an external solicitor makes them a Data Processor under UK GDPR. Article 28 requires processing to be governed by a written contract setting out the subject matter, duration, nature, and purpose of the processing. STEM requires acceptance of a Data Processing Agreement before access is granted.
Data minimisation
GDPR Art. 5(1)(c)UK GDPR Art. 5(1)(c) requires personal data to be limited to what is necessary for the purpose. Access is limited to the specific case pack associated with the instruction: no other tenants, properties, or financial data.
Accountability and the audit trail
GDPR Art. 5(2)The accountability principle requires you, as Data Controller, to demonstrate compliance if challenged. STEM's solicitor access log is append-only and captures every event with a timestamp and IP address. If your data practices are ever queried, you have a complete record of what was accessed and when.
SRA registration and secure case sharing
SRASolicitors practising in England and Wales must be registered with the Solicitors Regulation Authority. Entering the SRA number at invite time lets you verify their registration at sra.org.uk before granting access. For possession proceedings requiring legal representation, STEM allows secure sharing of case documentation with authorised solicitors.
None of the above is a substitute for your own legal advice. STEM gives you the tools to share data securely and demonstrate compliance; whether your particular processing is lawful still depends on how you use it.