Primary processing happens in EEA datacenters (Frankfurt and Bucharest). Where any data crosses outside the EEA (e.g., support tickets handled by an analyst working remotely), the legal mechanism is the UK ICO's International Data Transfer Agreement (IDTA) or the EU SCC. The mechanism in use is documented in the DPA appendix.
We do not currently hold the Cyber Essentials or Cyber Essentials Plus certificate — we say that plainly. We do apply the five controls operationally: secure configuration, boundary firewalls, access control, malware protection, patch management. Documentation of each control is available for due diligence under NDA.
All application logs and infrastructure access logs ship to S3 with object-lock enabled — written today, immutable until retention expires. Standard retention is 7 years to match common UK public sector record-keeping requirements; configurable per workload up to 25 years for projects with longer regulatory horizons.
Sub-processor list (currently four entries: AWS for S3 backup target, Cloudflare for CDN, Hetzner for backup datacenter, Stripe for payments) is published and versioned. Any addition or replacement triggers a 30-day written notice with opportunity to object for material changes. Public sector procurement teams can request the current version with version hash for their assurance pack.
End-of-contract data return is part of the standard MSA. Full database exports (Postgres custom format, MySQL mysqldump, MongoDB BSON), file system tarballs, and configuration manifests delivered to your nominated S3 bucket or sent on encrypted physical media. No charge for the export — exit data is returned within 30 days of notice.
Invoicing in pounds with VAT shown on a separate line at the standard 20 % rate. Public sector buyers using the VAT recovery mechanism for outsourced services (Contracted-Out Services COS Direction) can use our invoices directly. PO references can be embedded into every invoice for your finance system.
No. We are not currently listed on G-Cloud. We are happy to be sub-processed by a G-Cloud lot supplier under their existing framework agreement, and we can provide everything they need for the assurance pack. If you need a G-Cloud-listed provider directly, we are not the right fit and we will say so on the call.
We do not currently hold the Cyber Essentials or Cyber Essentials Plus certificate. We follow the five controls operationally and can share documentation under NDA. If your procurement requires the actual certificate, we are not the right fit at this time.
Each OFFICIAL-SENSITIVE workload requires a separate risk assessment by the data controller (you). We can provide all the technical inputs you need for that assessment — controls list, encryption details, sub-processor list, access controls — but the assessment itself remains yours to perform. Most OFFICIAL workloads we have hosted pass risk assessment on the standard hosting pattern.
Primary processing in our Frankfurt datacenter (EQX FR5/FR6 facilities, ISO 27001 certified host). Backup datacenter is in Bucharest (NXDATA-1, also ISO 27001 certified host). Both within the EEA. No processing in the United States or in countries without an adequacy decision under UK GDPR.
P1 incident acknowledgement within 15 minutes, 24/7. Initial response from a senior engineer within 30 minutes. Status page updated every 30 minutes during an active incident. Post-incident report (with root cause, contributing factors, remediation actions) within 5 working days for P1, 10 working days for P2.
Send your standard supplier risk template plus your G-Cloud assurance requirements. We will return them completed, with our DPA appendix, sub-processor list, technical controls documentation and pricing in GBP attached.
