Security

Security

Built with security and trust in mind

Built with security and trust in mind

Enterprise security, privacy and AI safeguards designed for sensitive estates and facilities data.

Enterprise security, privacy and AI safeguards designed for sensitive estates and facilities data.

ISO certification security evidence graphic
Cyber Essentials Plus security evidence graphic
DSP Toolkit standards exceeded evidence graphic
No model training security evidence graphic
Security evidence visual
Security evidence visual
Security evidence visual
Security evidence visual

AI methodology

AI methodology

No model training

Your data never trains or improves any AI model. Inference runs on Google Vertex AI in the EU; prompts and outputs are never stored or used for training. Contractually guaranteed under a processor agreement.

No patient data

CompliMind processes no patient-identifiable data at any stage. The platform is GDPR compliant and designed to process minimal information for access control and audit.

No selling or sharing

Trust and engagement data is never sold or shared. Subprocessors act only under data processing agreements, with no independent access.

Traceable

Every answer to a regulation question includes a traceable source, with the page number, exact cited paragraph, and a link back to the original document.

Secure by design

Secure by design

UK-based hosting on Microsoft Azure

All primary storage and processing takes place in the United Kingdom, using UK South and West for resilience. Limited transient processing for authentication and AI inference occurs in the EU or EEA.

Encrypted at rest

AES-256 encryption applied to all stored data.

Encryption in transit

All connections are secured via HTTPS / TLS 1.2+, for both public endpoints and inter-service communication.

Data segregation

Logical separation per Trust, so data stays private across every organisation and engagement.

Infrastructure & Operations

Infrastructure & Operations

Penetration testing

Regular independent penetration testing. The most recent assessment returned no critical and no high-severity findings.

Backups & recovery

Regular automated backups of the database and document storage, with tested restoration procedures and a 99.9% platform availability target.

Incident response

A documented and rehearsed incident response process: incidents are triaged, contained, investigated, and reported to the Trust without undue delay, followed by post-incident review.

Monitoring

Centralised logging and alerting, with regular review of privileged actions and high-risk events.

Data retention & deletion

Data is retained for the duration of the Trust’s contract. On instruction, accounts and personal data are securely deleted following NIST SP 800-88–aligned procedures, with export and written confirmation of deletion on contract end.

Documentation & Compliance

Documentation & Compliance

The following are available to support IG and IT security review. A Trust-specific DPIA is completed as part of procurement, with evidence available on request.

The following are available to support IG and IT security review. A Trust-specific DPIA is completed as part of procurement, with evidence available on request.

ISO certificates

ISO 27001 / ISO 42001 and ISO 9001 / ISO 14001 certificates: available on request.

Cyber Essentials Plus certificate

Available on request.

DSP Toolkit evidence

Standards Exceeded evidence available via the external DSP Toolkit reference.

External penetration test summary

Available on request.

DTAC, DPIA, subprocessor list, and DPAs

Available on request, including a full subprocessor list with DPAs and certifications.

Questions about security?

Questions about security?

Get in touch. We’re happy to complete vendor security questionnaires and provide compliance documentation, DPAs, and subprocessor lists on request.

Get in touch. We’re happy to complete vendor security questionnaires and provide compliance documentation, DPAs, and subprocessor lists on request.