Procurement FAQ

Q1:What is Endorsr?

Endorsr is a Name, Image, and Likeness (NIL) marketplace connecting athletes with brands for commercial partnerships. We provide storefronts, deal matching, payment processing, and compliance tools.

Q2:Who operates Endorsr?

BuiltByGo Ltd, a private limited company registered in England and Wales (Company Number: pending). Our registered address is in the United Kingdom.

Q3:What data does Endorsr process?

We process profile data, deal and transaction metadata, usage analytics, and user-uploaded content. We do not process payment card data — that is handled entirely by Stripe.

Q4:Where is data hosted?

Primary database: Google Cloud Platform (us-west4). Application hosting: Railway (US). CDN: Cloudflare (global edge). Media: Cloudinary (AWS us-east-1).

Q5:Is data encrypted?

Yes. AES-256 at rest, TLS 1.3 in transit. Encryption keys managed by Supabase KMS.

Q6:Do you have a DPA?

Yes. We provide a UK GDPR Article 28 compliant Data Processing Agreement at /dpa. It includes 3 schedules covering security measures, sub-processors, and controller rights.

Q7:What security certifications do you hold?

UK GDPR compliant. ISO 27001 certification in progress (target Q3 2026). SOC 2 Type II planned (target Q4 2026). Cyber insurance: $2M coverage.

Q8:Do you have a business continuity plan?

Yes. Our infrastructure spans multiple providers and regions. Database backups are automated with point-in-time recovery. Deployment rollback is supported via Railway.

Q9:Can you delete our data on request?

Yes. Account deletion removes personal profile data within 30 days. Transaction records may be retained for up to 7 years as required by UK tax law.

Q10:What sub-processors do you use?

Nine active sub-processors listed in our Sub-processors Register at /subprocessors. We provide 14 days notice of any changes.

Q11:How do you handle data breaches?

We have a documented incident response plan. Controllers are notified within 48 hours of confirmed breaches. Our Vulnerability Disclosure Policy is at /vulnerability-disclosure.

Q12:Do you sell personal data?

No. We do not sell, rent, or trade personal data. We do not use data for advertising profiling.

Q13:What is your SLA?

We target 99.9% uptime for the platform. Specific SLAs are available on request for enterprise customers.

Q14:Can we undergo a security assessment?

Yes. Prospective customers can request a security assessment questionnaire. On-site audits may be arranged with 30 days notice, subject to confidentiality.

Q15:What jurisdictions do you operate in?

Endorsr is available globally. We support multi-currency pricing and PPP-adjusted subscriptions for athletes in developing markets.

Q16:How do I get started?

Brands can sign up at endorsr.co/brand. Athletes can join at endorsr.co/for-athletes. Both are free to start.