Ghostables Ltd is a UK security company. We publish the technical standard for protecting personal data at rest, build the cryptographic infrastructure that meets it, and accredit the sites and services that earn the Protected by Ghostables trust mark.
Every week another household name reports a breach. Every breach exposes the same kind of data — names, emails, addresses, member records, payment details — because the standard practice across the industry is to store that data in plain, readable form. We thought the world should treat this as a solved engineering problem, not a recurring news cycle.
Direct breach costs to UK businesses last year. Doesn't include reputational damage, customer churn, or the cost of regulatory investigations.
The vast majority of UK breach reports to the ICO involve personal data being read in the clear from a database, backup, or storage bucket.
Once personal data is breached, the controller has 72 hours to notify the ICO. Encryption that holds up under breach is a meaningful Article 32 measure.
Ghostables is not a single product. It is an infrastructure standard with reference implementations across the languages, frameworks, and database engines our customers actually use. Three layers, each independently audit-able.
The first layer encrypts customer, member, and user data before it reaches the database. A stolen backup contains only ciphertext — no email addresses, no names, no addresses, no payment details. The keys are held outside the database, so a database exfiltration cannot decrypt anything.
Every write to a protected record is linked to the previous write. If someone altered or removed historic records, the chain would break and the tampering would be visible to auditors and to the registry. Enterprise customers anchor that chain to a public ledger so the integrity proof is verifiable independently of the customer's own systems.
The active-security layer scans, blocks, and reports against the standard continuously. Sites that meet the bar carry the public Protected by Ghostables mark and a live verification page. Anyone — customer, partner, regulator — can confirm at any time that a registration is current, not just that it passed an annual audit two years ago.
Ghostables Ltd is a registered UK company. We are a small, focused team of cryptographic engineers, security researchers, and infrastructure operators. We build the products, run the certification programme, and operate the registry that powers the trust mark.
We work the way a regulator would expect us to. The technical standard is published. The audit criteria are written down. The verification surface is open to anyone — every certified site is independently checkable from ghostables.io/verify, without our cooperation, in real time.
We don't pay third parties to validate us. We are accredited and certified as a company that accredits other companies. Our internal codebase is reviewed against the same standard we publish externally, by the same team that performs partner audits. We eat our own dog food, every release.
Our long-term mission is to make Protected by Ghostables the same instinctive trust signal that HTTPS, ISO 27001, and the BSI Kitemark carry today — but with the integrity verified continuously, not annually. We are building the company that becomes the answer when a regulator asks "show me your data-at-rest controls."
v1.0That is the entire job. Every product we build, every audit we run, every line of the standard we publish is in service of that one outcome. If you operate a site that holds personal data, we want to help you reach the bar — and prove it.