Guides

Privacy & security

Who can see your company's records? Cloud storage, encryption and UK GDPR, explained.

Your board minutes, loan agreements and receipts say a lot about you. What encryption at rest actually protects, why per-company keys matter, the honest limits of any cloud provider — and the questions to ask before you upload.

Dr Jinzhao HuFounder & Director, 9S Labs Limited7 July 20267 min readLast reviewed 7 July 2026

Your company’s paperwork is a biography. Board minutes record who decided what and when; loan agreements name the people who lent and borrowed; dividend vouchers and expense claims trace the money; and buried throughout are home addresses, dates of birth and the odd dispute nobody wants aired. It is, in other words, a pile of personal data about real people — and where you keep it matters. This guide explains what UK GDPR actually asks of you, what “encrypted” really means once you look past the padlock icon, and the honest limits of what any cloud tool can promise.

What does UK GDPR actually require?

Less than people fear, but not nothing. When your company holds records containing personal data — directors’, shareholders’, employees’ — the company is the data controller of that data. That triggers the security principle in Article 5(1)(f) of the UK GDPR, “integrity and confidentiality”, which asks you to protect personal data with appropriate technical and organisational measures. Appropriate is the operative word: the law does not hand you a checklist, it asks you to match the safeguards to the risk.

In practice, for a small company keeping records, that means storing them somewhere that controls access and encrypts what it stores — not somewhere anyone who finds a laptop can browse. The ICO’s guide to data security sets out what “appropriate” tends to look like, and the plain-English overview at GOV.UK on data protection is a sensible starting point. None of this should scare you off the cloud — a good cloud tool usually meets the standard far better than a folder on a shared drive.

“Encrypted in transit” is table stakes

Almost every tool will tell you your data is encrypted. Read closely and you will often find they mean in transit: TLS — the padlock in your browser bar — scrambles the data while it travels between your device and the server. That is essential, and it is genuinely table stakes. But it protects the journey, not the warehouse. Once your files arrive and are written to disk, TLS has done its job and stepped away.

Plenty of tools stop there. They will happily say “bank-grade encryption” while meaning nothing more than the connection was secure. If that is all a provider does, then everything you uploaded sits on their storage in a readable form — and the question becomes what happens to that storage if something goes wrong.

What encryption at rest actually protects

Encryption at rest is the other half. It means your files are sealed while they sit on disk, so the stored bytes are meaningless without the key. Picture the failure modes it defends against: a hard drive stolen or thrown out without being wiped; a storage bucket left misconfigured and readable to the internet; a breach that reaches the database but not the keys. In each case, an attacker who grabs the storage gets ciphertext — scrambled nonsense — rather than your board minutes, your loan agreements, or the dividend voucher with a shareholder’s address on it.

This is the difference between “we secured the connection” and “we secured the thing itself”. It does not make you invincible, but it turns several of the most common and most damaging breach scenarios — the lost disk, the leaked bucket — from a disaster into a non-event.

Why per-company keys beat one big key

Not all encryption at rest is equal. The weakest version uses a single key for everyone: seal everything with one master secret and, if that secret leaks, the whole warehouse opens at once. The stronger design is envelope encryption, and it is simpler than it sounds.

Each company gets its own random key. That key is what actually seals the company’s files. But the key itself is never stored in plain form — it is kept only in wrapped (encrypted) form, sealed under a master key that lives outside the database. So a breach of the database alone gives an attacker wrapped keys they cannot open. Two things fall out of this. First, the blast radius is bounded to a single company: compromising one company’s key does not touch anyone else’s. Second, deleting the key becomes a clean way to delete the data — crypto-erasure. Destroy a company’s key and its sealed files are permanently unreadable, even in old backups you can no longer reach to overwrite. That is a far more reliable erasure than hoping every copy gets deleted by hand.

What encryption cannot do

Here is the part most marketing pages skip, and it is the most important paragraph on this page. A service that prepares documents for you — drafts a board minute, assembles a record pack, reads a receipt to fill in a form — must be able to read your data while it works. That is not a flaw; it is what the tool is for. But it means such a service is not end-to-end encrypted. End-to-end encryption is where only you hold the keys and the provider genuinely cannot see the content — and a tool cannot both generate your paperwork and be blind to it.

So treat any provider that generates your documents while also claiming “we can never see your data” with scepticism. The two claims cannot both be true. Encryption at rest protects your files from a stolen disk or a leaked bucket; it does not, and cannot, make you invisible to the very service you asked to write your minutes. Honesty about that line is a better sign of a trustworthy provider than any padlock badge. What actually keeps your data safe day to day is a combination: encryption for the storage, plus access controls, monitoring, and holding as little data as necessary in the first place.

Where each safeguard helps — and where it does not

It is worth seeing plainly which threats each layer addresses. Encryption in transit and encryption at rest cover different attacks, and neither covers everything:

ThreatDoes TLS (in transit) help?Does encryption at rest help?
Someone intercepts your connection on public Wi-FiYes — this is exactly what it stopsNo — the data is not at rest yet
A disk is stolen or decommissioned without wipingNoYes — the drive holds ciphertext
A storage bucket is left publicly readableNoYes — the exposed files are sealed
The database alone is breached (not the keys)NoYes — with per-company wrapped keys, files stay sealed
The live application is fully compromisedNoNo — that is what access controls, monitoring and minimal data are for

Questions to ask any provider

Before you trust a tool with six years of records, ask it five plain questions. Good answers are specific; evasive ones are a signal in themselves.

  • Is my data encrypted at rest, or only in transit? “Bank-grade” is not an answer — ask which one.
  • Is there one key for everyone, or a separate key per customer? Per-customer keys bound the damage if something leaks.
  • What happens to my files when I delete my account? Are they truly gone, including from backups?
  • Who is the data controller, and are they registered with the ICO? A named, registered entity is accountable in law.
  • Where is my data processed, and under what transfer safeguards if it leaves the UK?

How LtdRecord answers those questions

Because these are the questions we think you should ask, here are our own answers — plainly, and including the limits.

  • All traffic runs over TLS. Structured data lives in a managed Postgres database; signed PDFs and uploaded evidence live in private object storage that is never publicly addressable, with every request ownership-checked on the server.
  • Every stored file is sealed at rest with AES-256-GCM. Each company has its own random 256-bit data key, and that key is stored only wrapped (encrypted) by a master key kept outside the database.
  • Deleting a company or your account destroys its data key — crypto-erasure. The sealed objects become permanently unreadable.
  • Sign-in is passwordless: short-lived, rate-limited one-time codes sent by email. There are no passwords to steal.
  • Card details never touch our servers — payments are handled by Stripe.
  • Roles are split the way UK GDPR expects: for account, billing and service-operation data, 9S Labs Limited is the controller, registered with the ICO (registration ZC188999). For the personal data inside your company’s records, your company remains the controller — LtdRecord processes it to provide the service.
  • AI drafting uses an AI provider that processes in the United States under the UK International Data Transfer Agreement — disclosed on our privacy page.

And here is the honest part, in writing. LtdRecord is not end-to-end encrypted, and we never claim we cannot see your files — because we prepare your documents, we can. What we do instead is seal your data against the storage-level breaches described above, bound the blast radius to a single company, and hold as little as we need. We spell all of this out, including what we do not claim, on our security page and privacy page. And once your records are in, keeping them for the required stretch is its own discipline — see our guide to how long to keep limited company records.

Hold every tool to the same standard, ours included: encrypt in transit and at rest, use per-customer keys, delete data properly, name an accountable controller, and be honest about the one thing encryption cannot do. A provider that answers all five questions straight — and does not oversell the sixth — is one you can put six years of your company’s biography behind.

Quick answers

Is it safe to keep company records in the cloud?

+

Yes, provided the tool encrypts data both in transit and at rest and controls who can reach it. Encryption in transit (TLS) protects the connection; encryption at rest protects the stored files if a disk is stolen or a storage bucket is misconfigured. Look for per-customer keys, clear deletion behaviour and a named, ICO-registered data controller. A reputable cloud tool is usually safer than a laptop folder or a shoebox, both of which can be lost or read by anyone who picks them up.

What is encryption at rest?

+

Encryption at rest means your files are scrambled while they sit on disk, so the raw storage is unreadable without the key. If someone walked off with a decommissioned drive, copied a leaked storage bucket, or breached the database on its own, they would get ciphertext rather than your board minutes or loan agreements. It is distinct from encryption in transit, which only protects data while it moves across the network.

What is the difference between encryption at rest and end-to-end encryption?

+

Encryption at rest protects stored files from anyone who reaches the storage, but the service itself can still decrypt them to do its job. End-to-end encryption means only you hold the keys and the provider genuinely cannot read the content. A tool that drafts documents or generates paperwork for you cannot be end-to-end encrypted, because it must read your data to work — so any provider offering both document generation and a promise that it “can never see your files” is contradicting itself.

What happens to my files when I delete my account?

+

That depends on the provider, so ask before you sign up. The strongest answer is crypto-erasure: deleting your account destroys the encryption key for your data, which makes the sealed files permanently unreadable — even in backups — without anyone having to overwrite every copy. In LtdRecord, deleting a company or your account destroys that company’s data key, so its stored objects can no longer be decrypted.

This guide is general information for UK limited companies, not legal, tax, accounting or company secretarial advice. Rules change and edge cases abound — check the linked official guidance and speak to your accountant or adviser about your own situation.

Read next

Paperwork like this, from one sentence.

Describe what happened in plain English — LtdRecord prepares the record pack, keeps the evidence and watches the deadlines. Your first pack is free, no card needed.