Procurement, in one sitting.

Where we stand on each control

Honest, status-tagged. Anything labelled In progress or Roadmap isn't hidden — you can ask about timelines via the request form below.

• UK GDPR & DPA 2018 aligned

  In place

  Lawful basis documented per processing activity. Data subject rights handled via privacy@ inbox within 30 days.

• Data minimisation by default

  In place

  We collect work email, name and organisation. Exercise content is the team's own decisions — no end-customer PII is required to run a session.

• Demo accounts are air-gapped

  In place

  Demo seats are blocked at the database from writing exercise results, so trial data never mixes with production analytics.

• Data residency: UK / EU

  In place

  Application and database hosted in EU regions. Backups stay in-region.

• Standard DPA template

  In progress

  Pre-signed Data Processing Agreement available on request below; a self-serve PDF is being added to this page.

• Customer-managed retention windows

  Roadmap

  Per-tenant override of the default 12-month retention for session reports.

• Encryption in transit & at rest

  In place

  TLS 1.2+ for every request. Database storage encrypted at rest by the managed platform.

• Row-level access control

  In place

  Database-enforced row-level security on every customer-facing table. Roles separated: admin, partner, customer, demo, participant.

• Single sign-on (Google)

  In place

  Google OAuth available alongside email + password. Sessions are short-lived JWTs with rotating refresh tokens.

• Least-privilege service roles

  In place

  Application code uses the public anon key; privileged operations run inside scoped server functions, not the browser.

• Cyber Essentials certified (Culture Gem Ltd)

  In place

  DECID:R is delivered by Culture Gem Ltd, which holds a current UK Cyber Essentials certificate. Verify on the IASME registry: https://registry.blockmarktech.com/certificates/e1c92501-ee16-43e7-a0c7-ddeca6bdb43c/

• SAML / OIDC SSO for enterprise

  In progress

  Available on request for annual customers; self-serve configuration coming.

• SOC 2 Type II

  Roadmap

  Internal control mapping in progress; external audit planned.

• Daily backups

  In place

  Automated daily database backups retained for 7 days; point-in-time recovery available within that window.

• Incident response runbook

  In place

  Defined severity levels, on-call rota and customer-comms template. Sev-1 acknowledgement target: 1 hour.

• Status visibility

  In place

  Live status surface for the customer-facing app; major incidents communicated by email to account owners.

• Published RTO / RPO targets

  In progress

  Targets being formalised in the standard security overview document.

• Public status page

  Roadmap

  External status.decidr.live page for uptime history and live incidents.

• Managed Postgres + storage

  In place

  EU region, encryption at rest. Used for customer accounts, session reports and exercise results.

• Edge runtime & CDN

  In place

  Application served via global edge for latency, with EU-pinned data plane.

• Transactional email

  In place

  Used for account verification, magic links and report-ready notifications. No marketing.

• Payments

  In place

  Card processing handled by a PCI-DSS Level 1 provider; we never see or store card data.

• Sub-processor change notice

  In progress

  30-day notice before adding or removing a sub-processor; subscribe via the request form below.

• No customer data trains models

  In place

  Customer exercise data is never used to train or fine-tune any third-party model.

• AI is augmentation, not authority

  In place

  Scenario branches, scoring rules and the decision framework are human-authored. AI is used for summarisation and language polish only.

• Prompt-injection guardrails

  In place

  User-supplied free text is scoped and never trusted as system instruction. Server functions validate all inputs before any model call.

• Customer opt-out for AI features

  Roadmap

  Per-tenant toggle to disable AI-assisted summarisation in debriefs.

• WCAG 2.2 AA target

  In place

  Components designed against WCAG 2.2 AA; accessibility widget on every page (contrast, motion, dyslexic-friendly font, larger hit areas).

• Keyboard-first navigation

  In place

  All flows are keyboard-operable; skip-to-content link on every page; focus trapping in dialogs.

• Independent VPAT

  In progress

  External audit and Voluntary Product Accessibility Template scheduled.