Procurement, in one sitting.

Where we stand on each control

Honest, status-tagged. Anything labelled In progress or Roadmap isn't hidden, you can ask about timelines via the request form below.

• UK GDPR & DPA 2018 aligned

  In place

  Lawful basis documented per processing activity (Record of Processing Activities maintained internally and shared on request). Data subject rights handled via privacy@ inbox within 30 calendar days.

• Data minimisation by default

  In place

  We collect work email, name and organisation. Exercise content is the team's own decisions — no end-customer PII is required to run a session.

• Demo accounts are air-gapped

  In place

  Demo seats are blocked at the database from writing exercise results, so trial data never mixes with production analytics.

• Data residency: UK / EU

  In place

  Application and database hosted in EU regions. Backups stay in-region. No transfers to third countries without SCCs in place.

• Self-serve Data Sharing Agreement

  In place

  Customer admins and partners electronically sign our standard DSA on first login. The countersigned PDF is generated automatically and downloadable from Settings → Signed agreements.

• Self-serve Master Subscription Agreement

  In place

  The MSA (Terms & Conditions) is signed in the same flow as the DSA. New versions trigger an automatic re-sign before continued access.

• Right-to-erasure on demand

  In place

  Customer admins can purge an account and its session results from Settings → Account → Delete. Email privacy@ for organisation-wide erasure.

• Customer-managed retention windows

  Roadmap

  Per-tenant override of the default 12-month retention for session reports.

• Encryption in transit & at rest

  In place

  TLS 1.2+ for every request, HSTS enabled. Database storage encrypted at rest with AES-256 by the managed platform; keys managed by the cloud provider's KMS.

• Row-level access control

  In place

  Database-enforced row-level security on every customer-facing table. Roles separated: admin, partner, customer, demo, participant.

• Single sign-on (Google)

  In place

  Google OAuth available alongside email + password. Sessions are short-lived JWTs with rotating refresh tokens (1-hour access, 30-day refresh).

• Multi-factor authentication (TOTP)

  In place

  Required for all email/password accounts. Users enrol an authenticator app (Google Authenticator, 1Password, Authy, etc.) and are challenged on every sign-in. Lost-device recovery is admin-assisted.

• Least-privilege service roles

  In place

  Application code uses the public anon key; privileged operations run inside scoped server functions, not the browser.

• Secrets management

  In place

  All third-party API keys stored in the platform secret vault; never committed. Rotation runbook documented; on personnel change, all access tokens are revoked the same business day.

• Dependency scanning

  In place

  Automated SCA on every deploy (npm audit + supply-chain advisories). High/critical advisories block deploy until remediated or formally accepted.

• Static analysis & DB linter

  In place

  TypeScript strict build + Postgres database linter enforced on every change. Findings reviewed before merge.

• Server-side authorisation on privileged calls

  In place

  Billing, admin and trust-pack server functions verify the caller's role (admin or account owner) before any read or write. The browser anon key cannot reach privileged endpoints.

• Shared-secret authentication on scheduled jobs

  In place

  Cron-triggered endpoints (admin digests, trust artefact refresh, weekly enquiry summary) require a server-only shared secret. The public anon key is not accepted.

• Tamper-evident signed agreements

  In place

  Once a customer signs the DSA or MSA, the attested fields (signer name, signature image, timestamp, IP) are locked at the database layer. Only the rendered PDF path can be updated, and only by the signer.

• Trust artefact access scoping

  In place

  Database row-level security limits the trust artefact index to entries explicitly marked public; NDA-only artefacts remain admin-visible until released through the request flow.

• Cyber Essentials (Decidr Ltd)

  Roadmap

  No Cyber Essentials certification is held today. We will pursue UK Cyber Essentials in Decidr Ltd's name where a customer contract requires it.

• SAML / OIDC SSO for enterprise

  In progress

  Available on request for annual customers; self-serve configuration coming.

• Independent penetration test

  Roadmap

  No external penetration test is currently commissioned. We will engage a CREST-accredited tester where a customer contract requires it. Continuous internal scanning is in place today (see vulnerability-management artefact).

• SOC 2 Type II

  Roadmap

  Internal control mapping against the SOC 2 Trust Services Criteria is maintained today. A formal SOC 2 examination will be commissioned where a customer contract requires it.

• Daily backups + PITR

  In place

  Automated daily database backups retained for 7 days; point-in-time recovery available within that window.

• Incident response runbook

  In place

  Defined severity levels and customer-comms template. On-call coverage by the founder/CEO. Sev-1 acknowledgement target: 1 hour, 24/7.

• Status visibility

  In place

  Major incidents communicated by email to account owners.

• Restore drill

  In place

  We restore a representative backup into an isolated environment on every material change to the data layer and at least annually. Drill outcomes are recorded in the internal change log.

• Published RTO / RPO targets

  In progress

  Targets being formalised in the standard security overview document. Current internal target: RTO 4h, RPO 24h.

• Public status page

  Roadmap

  External status.decidr.live page for uptime history and live incidents.

• Sub-processor change notice

  In place

  30-day notice before adding or removing a sub-processor; subscribe via the request form. Current list maintained in the sub-processor artefact and reviewed on every release.

• Vendor risk review

  In place

  Every new sub-processor is reviewed against a fixed checklist (security posture, data residency, breach history, DPA in place, certifications) before onboarding.

• No customer data trains models

  In place

  Customer exercise data is never used to train or fine-tune any third-party model. Contractual no-train terms in place with the AI provider.

• AI is augmentation, not authority

  In place

  Scoring rules and the decision framework are human-authored. AI is used for summarisation, language polish and (for Scenario Builder add-on customers) suggested decision branches that an author must accept, regenerate or discard before they are saved.

• Scenario Builder is opt-in

  In place

  The Scenario Builder is an optional paid add-on, disabled by default on every tenant and enabled per customer by an administrator.

• Prompt-injection guardrails

  In place

  User-supplied free text is scoped and never trusted as system instruction. Server functions validate all inputs before any model call.

• Customer opt-out for AI features

  Roadmap

  Per-tenant toggle to disable AI-assisted summarisation in debriefs.

• WCAG 2.2 AA target

  In place

  Components designed against WCAG 2.2 AA; accessibility widget on every page (contrast, motion, dyslexic-friendly font, larger hit areas).

• Keyboard-first navigation

  In place

  All flows are keyboard-operable; skip-to-content link on every page; focus trapping in dialogs.

• Independent VPAT

  In progress

  External audit and Voluntary Product Accessibility Template scheduled.