PolicySuite PolicySuite

Trust Center

Security, compliance, and data protection at PolicySuite. Everything you need to evaluate our platform for your organisation.

All Systems Operational

Compliance & Certifications

We implement industry-standard security controls and maintain alignment with major compliance frameworks.

🛡️

SOC 2 Type II

Controls aligned with Trust Services Criteria for security, availability, and confidentiality.

Aligned
🇪🇺

GDPR

Full compliance with EU and UK General Data Protection Regulation requirements.

Compliant
📋

ISO 27001

Information security management controls aligned with Annex A requirements.

Aligned
🔐

OWASP Top 10

Complete protection against all top 10 web application security vulnerabilities.

Protected

Security Practices

Enterprise-grade security built into every layer of our platform.

🔐

Encryption

  • AES-256-GCM encryption at rest
  • TLS 1.3 encryption in transit
  • 256-bit encryption keys
  • Bcrypt password hashing (14 rounds)
🏰

Infrastructure

  • EU data center (Frankfurt)
  • SOC 2 Type II certified hosting
  • Automated daily backups
  • DDoS protection enabled
🔑

Access Control

  • Role-based access control (RBAC)
  • Two-factor authentication (2FA)
  • Session timeout and management
  • Account lockout protection
📋

Audit & Monitoring

  • Comprehensive audit logging
  • SHA-256 hash chain integrity
  • Real-time security monitoring
  • Anomaly detection alerts

Data Residency & Privacy

Your data stays in the EU with full GDPR compliance.

🇪🇺 EU Data Center

All customer data is stored and processed in Frankfurt, Germany. No data leaves the European Union.

📄 Data Processing Agreement

Standard DPA available for all customers. Enterprise customers can request customised terms.

Request DPA →

🗑️ Data Deletion

GDPR-compliant data export and erasure on request. Full deletion within 30 days with verification.

🔒 Data Isolation

Multi-tenant architecture with strict organisation-level data isolation. Your data is never accessible to other customers.

Sub-processors

Third-party services that process customer data on our behalf.

Service Purpose Location Data Processed
Render Cloud hosting infrastructure Frankfurt, Germany All application data
Stripe Payment processing EU (Ireland) Payment information only
Resend Transactional email delivery EU Email addresses, names
Sentry Error monitoring EU (Germany) Error logs (no PII)
OpenAI AI policy generation (optional) USA* Policy content only (when used)

*AI features are optional and disabled by default. Data is not used for training. Last updated: January 2026

Security Testing

We maintain a rigorous security testing programme.

Our Security Programme Includes:

  • Regular penetration testing by independent security firms
  • Continuous vulnerability scanning and monitoring
  • Dependency security monitoring with automated alerts
  • Security-focused code review for all changes
  • Incident response plan with defined escalation procedures

Security assessment reports are available under NDA for enterprise customers evaluating PolicySuite.

Security Documentation

Request security documentation for your compliance review.

📋

Security Questionnaire

Pre-completed responses to common security questionnaires (SIG, CAIQ, custom).

Request
📄

Data Processing Agreement

Standard DPA for GDPR compliance. Available for all customers.

Request
🔒

Penetration Test Report

Summary of latest penetration test results. Available under NDA.

Request

Security Contact

For security inquiries, vulnerability reports, or compliance questions.

security@policy-suite.com

PGP key available on request. We respond within 48 hours.