Skip to content
McCullochRegulatory Compliance

Trust Center

Security you can put in front of your IT team

How we protect client information across our website, client portal, and engagements. Written for the IT directors, compliance officers, and procurement teams who need the detail.

Last reviewed: June 2026

Microsoft 365 / SharePoint integration security

  • Client documents are stored in Microsoft 365 / SharePoint and accessed through Microsoft's Graph API using scoped, application-level credentials.
  • Each client's files are isolated in a dedicated folder, and portal access is restricted to that client's account and our authorised personnel.
  • Downloads use short-lived signed links that expire within seconds of issue; underlying storage locations are never exposed.
  • Document share links resolve only for signed-in users with rights to that document; anyone else sees nothing, including whether the document exists.

Encryption standards

  • All traffic to the website and client portal is encrypted in transit with TLS, with HTTP Strict Transport Security (HSTS) enforced.
  • Data is encrypted at rest by our infrastructure providers across Microsoft 365, our managed database platform, and our hosting provider.
  • Passwords are stored only as salted cryptographic hashes; they cannot be viewed by anyone, including us.
  • Baseline security headers (content-type protections, clickjacking protections, restrictive referrer and permissions policies) are applied to every response.

Authentication and access controls

  • Client accounts are created by invitation from our team, or reviewed and approved by an administrator before activation.
  • Role-based access separates the client area from the administrative area; administrative functions are restricted to authorised staff.
  • Every database query is constrained by row-level security, so a client account can only ever read records belonging to that client.
  • Invitation, sign-in, and password-reset links are single-use and time-limited.
  • The portal carries an authorised-use notice, and access may be logged.

Data retention practices

  • Personal data and engagement records are retained in accordance with applicable legal and regulatory requirements, as set out in our Privacy Policy.
  • Portal data is retained for the duration of the engagement and thereafter only as required by law.
  • Deleted documents are removed from both the portal and the underlying Microsoft 365 storage.
  • Newsletter data is retained only until you unsubscribe.

Privacy commitments

  • Our Privacy Policy is designed to meet the EU GDPR, the UK GDPR and Data Protection Act 2018, and the CCPA/CPRA.
  • We operate a named data protection contact, reachable at privacy@mccullochrc.com.
  • Analytics run only with your consent, managed through our cookie consent platform; nothing non-essential loads before you choose.
  • We honour Global Privacy Control (GPC) signals where applicable, and we do not sell personal data.

Business continuity measures

  • The website and portal run on managed, geo-distributed cloud infrastructure with no single physical point of failure.
  • Client documents benefit from Microsoft 365's redundant, geo-resilient storage.
  • Our infrastructure providers maintain independent certifications including SOC 2 and ISO 27001.
  • All application code and infrastructure configuration is version-controlled, supporting rapid rebuild and recovery.

For the full picture of how personal data is handled, see our Privacy Policy. This page describes our current practices and is reviewed as our infrastructure evolves; it does not form part of any contract.

Security questionnaire on your desk?

We are happy to walk your IT, compliance, or procurement team through any of the above.

Get in touch