Trust Center

Security, compliance, and data protection at PolicySuite. Everything you need to evaluate our platform for your organisation.

PolicySuite is operated by Sevenpoynt Ltd, a UK-registered company (Companies House 15722814). The trust center documents how we run the platform: ISO 27001-aligned security controls, ICO accountability framework alignment, sub-processor disclosures, and the operational practices our enterprise customers and procurement reviewers expect to verify before signing.

All Systems Operational

Compliance & Certifications

Quick answer. PolicySuite aligns its controls with the SOC 2 Trust Services Criteria, ISO/IEC 27001:2022 and UK/EU GDPR requirements. The cards below state the current status of each alignment plainly — aligned, certified or in progress — so procurement reviewers can verify rather than assume.

We implement industry-standard security controls and maintain alignment with major compliance frameworks.

🛡️

SOC 2 Type II

Controls aligned with Trust Services Criteria for security, availability, and confidentiality.

Aligned
🇪🇺

GDPR

Full compliance with EU and UK General Data Protection Regulation requirements.

Compliant
📋

ISO 27001

Information security management controls aligned with Annex A requirements.

Aligned
🔐

OWASP Top 10

Complete protection against all top 10 web application security vulnerabilities.

Protected

Security Practices

Quick answer. Customer data is protected with AES-256-GCM encryption at rest, TLS 1.3 in transit and bcrypt password hashing, hosted in an EU data centre in Frankfurt with automated daily backups. The detail below covers encryption, infrastructure, access control and monitoring layer by layer.

Enterprise-grade security built into every layer of our platform.

🔐

Encryption

  • AES-256-GCM encryption at rest
  • TLS 1.3 encryption in transit
  • 256-bit encryption keys
  • Bcrypt password hashing (14 rounds)
🏰

Infrastructure

  • EU data center (Frankfurt)
  • SOC 2 Type II certified hosting
  • Automated daily backups
  • DDoS protection enabled
🔑

Access Control

  • Role-based access control (RBAC)
  • Two-factor authentication (2FA)
  • Session timeout and management
  • Account lockout protection
📋

Audit & Monitoring

  • Comprehensive audit logging
  • SHA-256 hash chain integrity
  • Real-time security monitoring
  • Anomaly detection alerts

Data Residency & Privacy

Quick answer. All customer data is stored and processed in Frankfurt, Germany, and does not leave the European Union. A standard data processing agreement is available to every customer, and enterprise customers can request customised terms through the documentation section below.

Your data stays in the EU with full GDPR compliance.

🇪🇺 EU Data Center

All customer data is stored and processed in Frankfurt, Germany. No data leaves the European Union.

📄 Data Processing Agreement

Standard DPA available for all customers. Enterprise customers can request customised terms.

Request DPA →

🗑️ Data Deletion

GDPR-compliant data export and erasure on request. Full deletion within 30 days with verification.

🔒 Data Isolation

Multi-tenant architecture with strict organisation-level data isolation. Your data is never accessible to other customers.

Sub-processors

Quick answer. The table lists every third-party service that processes customer data on our behalf — what it does, where it runs and which data it touches. The list is updated whenever a sub-processor is added or changed, so reviewers can rely on it during vendor assessment.

Third-party services that process customer data on our behalf.

Service Purpose Location Data Processed
Render Cloud hosting infrastructure (web app + API + database) Frankfurt, Germany (EU) All application data
Cloudflare CDN, DDoS protection, WAF, edge caching Global edge / EU-routed Traffic metadata, IP addresses (transit)
Stripe Payment processing EU (Ireland) Payment information only
Mailgun (Sinch) Transactional email delivery US / EU Email addresses, names, transactional message bodies
Sentry Application error monitoring EU (Frankfurt) Error stack traces (no PII, scrubbed)
PostHog Product analytics & session replay (consent-gated) EU Cloud (Frankfurt) Anonymised usage events; session recordings (when consent given)
Google Analytics 4 Marketing-site analytics (consent-gated) US / EU regions Anonymised pageview events (no PII)
Microsoft Advertising (UET) Marketing-site Bing conversion tracking (consent-gated) US / EU Anonymised conversion events
OpenAI LLM provider for bespoke policy generation* USA Policy content + Q&A inputs (when AI features used)
Anthropic (Claude) LLM provider for clause-level compliance scanning* USA Policy content (when AI features used)
Google AI (Gemini) LLM provider for policy gap analysis & generation* USA / EU regions Policy content (when AI features used)

*AI features are gated by your account configuration. LLM provider data is not used for model training. Last updated: 8 May 2026.

Security Testing

Quick answer. The testing programme combines independent penetration testing, continuous vulnerability scanning, automated dependency monitoring and security-focused code review for every change. Findings are triaged through a documented incident-response process rather than handled ad hoc.

We maintain a rigorous security testing programme.

Our Security Programme Includes:

  • Regular penetration testing by independent security firms
  • Continuous vulnerability scanning and monitoring
  • Dependency security monitoring with automated alerts
  • Security-focused code review for all changes
  • Incident response plan with defined escalation procedures

Security assessment reports are available under NDA for enterprise customers evaluating PolicySuite.

Security Documentation

Quick answer. Procurement and compliance reviewers can request the standard document set here: pre-completed security questionnaires (SIG, CAIQ or custom), the data processing agreement, and penetration test report summaries. Requests go directly to the security team.

Request security documentation for your compliance review.

📋

Security Questionnaire

Pre-completed responses to common security questionnaires (SIG, CAIQ, custom).

Request
📄

Data Processing Agreement

Standard DPA for GDPR compliance. Available for all customers.

Request
🔒

Penetration Test Report

Summary of latest penetration test results. Available under NDA.

Request

Security Contact

Quick answer. Security enquiries, vulnerability reports and compliance questions go to security@policy-suite.com — a monitored address, with a PGP key available on request for sensitive disclosures. We respond within 48 hours, faster for active vulnerability reports.

For security inquiries, vulnerability reports, or compliance questions.

security@policy-suite.com

PGP key available on request. We respond within 48 hours.

How PolicySuite operates as a trusted vendor

Quick answer. PolicySuite is operated by Sevenpoynt Ltd, a UK-registered company (Companies House 15722814). The trust center documents our security posture, sub-processor list, data-handling commitments and incident-response procedures, mapped to ICO and ISO 27001 expectations. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

The documents that survive enterprise vendor review and regulator scrutiny cite their primary sources clause by clause. Many UK SMEs first discover a policy gap when a buyer’s legal team challenges a generic phrase — for example, a citation to guidance that has since been revised. Checking each policy against the sources above closes that gap before someone else finds it.