Trust Center
Security, compliance, and data protection at PolicySuite. Everything you need to evaluate our platform for your organisation.
PolicySuite is operated by Sevenpoynt Ltd, a UK-registered company (Companies House 15722814). The trust center documents how we run the platform: ISO 27001-aligned security controls, ICO accountability framework alignment, sub-processor disclosures, and the operational practices our enterprise customers and procurement reviewers expect to verify before signing.
Compliance & Certifications
Quick answer. Compliance & Certifications — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
We implement industry-standard security controls and maintain alignment with major compliance frameworks.
SOC 2 Type II
Controls aligned with Trust Services Criteria for security, availability, and confidentiality.
AlignedGDPR
Full compliance with EU and UK General Data Protection Regulation requirements.
CompliantISO 27001
Information security management controls aligned with Annex A requirements.
AlignedOWASP Top 10
Complete protection against all top 10 web application security vulnerabilities.
ProtectedSecurity Practices
Quick answer. Security Practices — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
Enterprise-grade security built into every layer of our platform.
Encryption
- AES-256-GCM encryption at rest
- TLS 1.3 encryption in transit
- 256-bit encryption keys
- Bcrypt password hashing (14 rounds)
Infrastructure
- EU data center (Frankfurt)
- SOC 2 Type II certified hosting
- Automated daily backups
- DDoS protection enabled
Access Control
- Role-based access control (RBAC)
- Two-factor authentication (2FA)
- Session timeout and management
- Account lockout protection
Audit & Monitoring
- Comprehensive audit logging
- SHA-256 hash chain integrity
- Real-time security monitoring
- Anomaly detection alerts
Data Residency & Privacy
Quick answer. Data Residency & Privacy — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
Your data stays in the EU with full GDPR compliance.
🇪🇺 EU Data Center
All customer data is stored and processed in Frankfurt, Germany. No data leaves the European Union.
📄 Data Processing Agreement
Standard DPA available for all customers. Enterprise customers can request customised terms.
Request DPA →🗑️ Data Deletion
GDPR-compliant data export and erasure on request. Full deletion within 30 days with verification.
🔒 Data Isolation
Multi-tenant architecture with strict organisation-level data isolation. Your data is never accessible to other customers.
Sub-processors
Quick answer. Sub-processors — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
Third-party services that process customer data on our behalf.
| Service | Purpose | Location | Data Processed |
|---|---|---|---|
| Render | Cloud hosting infrastructure (web app + API + database) | Frankfurt, Germany (EU) | All application data |
| Cloudflare | CDN, DDoS protection, WAF, edge caching | Global edge / EU-routed | Traffic metadata, IP addresses (transit) |
| Stripe | Payment processing | EU (Ireland) | Payment information only |
| Mailgun (Sinch) | Transactional email delivery | US / EU | Email addresses, names, transactional message bodies |
| Sentry | Application error monitoring | EU (Frankfurt) | Error stack traces (no PII, scrubbed) |
| PostHog | Product analytics & session replay (consent-gated) | EU Cloud (Frankfurt) | Anonymised usage events; session recordings (when consent given) |
| Google Analytics 4 | Marketing-site analytics (consent-gated) | US / EU regions | Anonymised pageview events (no PII) |
| Microsoft Advertising (UET) | Marketing-site Bing conversion tracking (consent-gated) | US / EU | Anonymised conversion events |
| OpenAI | LLM provider for bespoke policy generation* | USA | Policy content + Q&A inputs (when AI features used) |
| Anthropic (Claude) | LLM provider for clause-level compliance scanning* | USA | Policy content (when AI features used) |
| Google AI (Gemini) | LLM provider for policy gap analysis & generation* | USA / EU regions | Policy content (when AI features used) |
*AI features are gated by your account configuration. LLM provider data is not used for model training. Last updated: 8 May 2026.
Security Testing
Quick answer. Security Testing — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
We maintain a rigorous security testing programme.
Our Security Programme Includes:
- Regular penetration testing by independent security firms
- Continuous vulnerability scanning and monitoring
- Dependency security monitoring with automated alerts
- Security-focused code review for all changes
- Incident response plan with defined escalation procedures
Security assessment reports are available under NDA for enterprise customers evaluating PolicySuite.
Security Documentation
Quick answer. Security Documentation — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
Request security documentation for your compliance review.
Security Questionnaire
Pre-completed responses to common security questionnaires (SIG, CAIQ, custom).
RequestSecurity Contact
Quick answer. Security Contact — in our experience, enterprise procurement reviews fail when this section lacks primary-source citations. Many uk smes typically realise this only at first vendor audit; for example, a missing legislation.gov.uk reference. PolicySuite documents each commitment with a verifiable source.
For security inquiries, vulnerability reports, or compliance questions.
PGP key available on request. We respond within 48 hours.
How PolicySuite operates as a trusted vendor
Quick answer. PolicySuite is operated by Sevenpoynt Ltd, a UK-registered company (Companies House 15722814). The trust center documents our security posture, sub-processor list, data-handling commitments and incident-response procedures, mapped to ICO and ISO 27001 expectations. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.
References and primary sources
Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.
- ICO accountability framework — UK regulator practical guidance for personal-data handling.
- ISO/IEC 27001:2022 — the international information-security standard most policy frameworks map to.
- NCSC Cyber Essentials — UK government cyber baseline for security policies.
- legislation.gov.uk — official UK statute referenced inside policy text.
- NIST Cybersecurity Framework 2.0 — the GOVERN-extended framework cross-walked to ISO and SOC 2.
In our experience, the documents that survive enterprise vendor review and ICO audits cite primary sources clause-by-clause. Many uk smes typically discover policy gaps only when the buyer’s legal team challenges a generic phrase — for example, a missing legislation.gov.uk reference or an outdated ACAS Code citation. Bespoke generation closes the gap pre-emptively.