Data residency

Where is my data stored? Core persistent customer data is hosted in Azure UK regions. See Data Residency.

Can I choose a different region? GoSmarter follows a standard hosted model. Region options can be discussed as part of enterprise scoping.

Does any data leave the UK? Some supporting processing may use EU regions where required by platform capability. We do not transfer customer data outside UK/EU operating boundaries for service delivery.

Is my data subject to US law / the CLOUD Act? GoSmarter is delivered on Microsoft Azure under Microsoft’s contractual and compliance framework. Data residency and transfer controls are documented in Data Residency.

AI and document processing

Does GoSmarter use AI? Yes. AI is used for defined document-processing tasks. Non-AI algorithmic processing is also used where appropriate. See AI Security.

Is my data used to train AI models? No. Microsoft contractually commits that your data is not used to train, retrain, or improve their AI models. See Microsoft’s data privacy commitments.

What AI services does GoSmarter use? GoSmarter uses Microsoft Azure AI services appropriate to the workload. Service-level and regional details can be shared under NDA during a security review.

Does the optimisation solver use AI? No. The cutting optimisation service is a pure algorithmic solver using heuristic and genetic algorithm techniques. It makes no external AI or API calls.

Authentication and access

How do users sign in? Via GoSmarter’s Microsoft Entra External ID. Supported sign-in options include organisational and consumer identity methods.

Does GoSmarter support MFA? Yes. MFA is supported and can be enforced in line with our access control policy.

Can a user in Company A see Company B’s data? No. Every API request validates that the authenticated user’s Entra ID group claims include the target company. Requests for companies the user doesn’t belong to are rejected.

Encryption

Is data encrypted at rest? Yes. AES-256 encryption on all storage (Azure SQL with TDE, Blob Storage with SSE, Key Vault).

Is data encrypted in transit? Yes. TLS 1.2 minimum enforced on all services. HTTP connections are rejected.

Can I bring my own encryption keys? Not currently. All encryption uses platform-managed keys. Customer-managed keys (BYOK/CMK) are not available.

Infrastructure

Do you use shared or dedicated infrastructure? GoSmarter runs on managed Azure platform services with isolation controls between workloads.

Is there a public status page? Service status and incident communications are handled through customer support and account channels.

What is your uptime SLA? Availability commitments are provided contractually based on your service agreement.

Compliance

Do you have SOC 2 Type II? GoSmarter runs on Azure, which maintains SOC 2 Type II attestation for relevant platform services. Azure reports are available via the Microsoft Service Trust Portal.

Do you have ISO 27001? Azure maintains ISO 27001 certification for relevant platform services. See Certifications.

Do you conduct penetration testing? Security testing is performed as part of our security programme. High-level outcomes and evidence can be shared under NDA where appropriate.

Can I get a copy of your DPA? Yes. DPA information is available on request.

Can we get detailed architecture and control evidence? Yes. Detailed technical documentation and assurance artefacts are available under mutual NDA.

Still have questions?

Email us, contact us online, or book a compliance call to request the NDA pack.

GoSmarter runs on Microsoft Azure, which is certified against a broad set of compliance frameworks. This page maps the most commonly requested standards to our deployment.

Standards relevance

What “Azure platform certified” means

When we say Azure is certified, it means:

• Microsoft has undergone independent third-party audits for the services GoSmarter uses (Azure SQL, Blob Storage, Container Apps, Key Vault, Service Bus, AI services)
• Audit reports are available through the Microsoft Service Trust Portal
• These certifications cover the infrastructure, physical security, and platform-level controls

GoSmarter’s application-level controls (authentication, tenant isolation, encryption configuration, AI data handling) are described throughout this trust centre and verified against our infrastructure code.

GDPR alignment summary

Compliance matrix

For a detailed control-by-control mapping, see the compliance matrix (CSV).

Key points for your security team

• GDPR / UK GDPR: Fully aligned: UK South residency, DPA available, no international transfers outside adequacy
• SOC 2 / ISO 27001: Azure platform certified; GoSmarter has no current SOC 2 attestation plan and is planning application-level ISO 27001 certification
• Incident response notification target: 72 hours for confirmed personal data breaches, with UK GDPR/ICO escalation criteria applied
• Availability target: 99.99% monthly availability target for the production service
• PCI DSS / HIPAA: Not applicable: GoSmarter doesn’t handle payment or health data
• Evidence available: Azure compliance reports via Service Trust Portal; GoSmarter-specific detail in this trust centre

Request evidence

Email us, contact us online, or book a compliance call.

GoSmarter runs on Microsoft Azure, which holds a broad set of compliance certifications. This page explains which certifications apply to our deployment and how to request evidence.

This page provides a high-level summary. Detailed assurance evidence can be shared under mutual NDA where appropriate.

GoSmarter application-level certifications

We are progressing our application-level assurance roadmap to provide additional independent validation of our security controls and operating practices.

Azure platform certifications

Microsoft Azure maintains certifications and attestations that cover the core managed services GoSmarter depends on.

Full details: Microsoft Azure Compliance Offerings

How to request compliance evidence

We can provide the following for your security review:

1. Azure compliance reports: Available through the Microsoft Service Trust Portal (SOC reports, ISO certificates, pen test summaries)
2. GoSmarter security documentation: This trust centre and supporting high-level material
3. Data Processing Agreement information: Available on request
4. Compliance call: A conversation with our team to answer specific questions

Requesting reports under NDA

Some compliance evidence is shared under a mutual NDA. To request it:

1. Contact us at talktous@gosmarter.ai
2. Specify which reports or information you need
3. We’ll arrange NDA execution if required and provide the reports

Key points for your security team

• Azure platform certifications: SOC 2 Type II, ISO 27001/27017/27018, Cyber Essentials Plus, and more
• Service Trust Portal: Self-service access to Azure compliance reports
• Application-level assurance roadmap: Additional independent validation is in progress
• Evidence available under NDA: Information that is not publicly available can be shared under a mutual NDA

Request evidence

Email us, contact us online, or book a compliance call to request the NDA pack.

GoSmarter processes data on behalf of our customers. This page describes our data protection practices and how we support your GDPR obligations.

This page provides a high-level overview. Detailed privacy control documentation is available on request under NDA.

Our role under GDPR

• You (the customer) are the data controller: you decide what data is uploaded and processed
• GoSmarter acts as a data processor: we process data according to your instructions via the platform
• Microsoft Azure acts as a sub-processor: they host the infrastructure and provide AI services

What personal data does GoSmarter process?

GoSmarter is a B2B platform. The personal data we process is limited to what is required for account access, platform authorisation, and business-document workflows.

GoSmarter does not collect or process sensitive personal data (health, biometric, financial) as part of its core functionality.

Data Processing Agreement

We provide a Data Processing Agreement (DPA) that covers:

• The scope and purpose of data processing
• Technical and organisational security measures
• Sub-processor obligations (Microsoft Azure)
• Data subject rights support
• Breach notification commitments
• Data deletion on contract termination

Data Processing Agreement available on request via talktous@gosmarter.ai

Microsoft’s data processing commitments

As our infrastructure provider, Microsoft’s processing commitments apply:

• Microsoft Products and Services DPA
• Microsoft Trust Center
• AI services: Your data is not used to train Microsoft AI models (Azure AI data privacy)

Data subject rights

If your users or data subjects exercise their rights (access, rectification, erasure, portability), we support you by:

• Providing access to data stored in GoSmarter through the platform or on request
• Deleting user accounts and associated data when requested
• Supporting data export in standard formats

Data can be accessed and managed through the GoSmarter application or by contacting us directly.

Data retention

• Active data: Retained for the duration of your subscription
• Uploaded documents: Stored in Azure Blob Storage for the duration of your subscription
• Audit logs: Retained in line with our operational and compliance requirements
• On contract termination: Data handling and deletion are managed according to contractual terms

International transfers

Core persistent data is hosted in UK regions. Where supporting processing uses EU regions, it remains within UK/EU operating boundaries. See Data Residency for more detail.

Key points for your security team

• Data processor role: GoSmarter processes data under your instructions as controller
• Limited personal data: Primarily user accounts and names on business documents
• DPA available: Covers processing scope, security measures, breach notification, and deletion
• Microsoft sub-processor: Covered by Microsoft’s Products and Services DPA
• No AI model training: Contractual commitment from Microsoft
• UK/EU only: No international transfers outside UK GDPR adequacy framework

Detailed information under NDA

Additional privacy and data protection evidence can be shared under mutual NDA, including:

• Data flow and processing context documentation
• Retention and deletion process details
• Sub-processor and transfer assurance information
• Operational control evidence relevant to due diligence

Request evidence

Email us, contact us online, or book a compliance call to request the NDA pack.

GoSmarter maintains a documented incident response process designed for dual use:

• operational execution by our internal team
• evidence for customer and auditor due diligence

The process is aligned to common expectations from ISO 27001 incident management controls and UK Cyber Essentials principles.

Scope and objectives

This plan covers security incidents affecting:

• customer data confidentiality, integrity, or availability
• the GoSmarter API, frontend, AI processing services, database, storage, and message infrastructure
• authentication and authorisation controls (Entra ID, RBAC, managed identity)

Objectives:

• detect and contain incidents quickly
• reduce customer and business impact
• meet legal and contractual notification obligations
• learn from incidents and improve controls

What we monitor

The following monitoring is configured and verified in our infrastructure:

• SQL audit logging: Authentication attempts (successful and failed), permission changes, schema changes, and backup/restore operations are logged to Azure Log Analytics
• Application telemetry: Request performance, errors, and exceptions tracked via Azure Application Insights
• Threat detection: Microsoft Defender for SQL is enabled in production: detects SQL injection attempts, anomalous access patterns, and potential vulnerabilities
• Budget and capacity alerts: Budget and capacity alerts detect unusual resource consumption

These signals are triaged as potential incidents when they indicate unauthorised access, data exposure risk, service compromise, or sustained service degradation.

Detection capabilities

Roles and responsibilities

Incident response is coordinated through the following roles:

• Incident Owner (Primary): Chief Product Officer
• Technical Responders: engineering staff responsible for impacted components
• Communications Lead: coordinates customer and stakeholder messaging via email
• Approver for regulator contact: Incident Owner with leadership/legal input as required

If the primary owner is unavailable, the most senior available engineering leader assumes incident command and records handover decisions.

Severity classification

GoSmarter uses four severity levels:

Response time SLAs

GoSmarter tracks incident handling against the following internal SLAs.

Because GoSmarter currently operates without a formal 24/7 on-call rota, incidents raised outside business hours follow a lightweight emergency escalation path. Critical incidents still target acknowledgement within 60 minutes out of hours.

Incident response lifecycle

1. Identify: Validate alerts, open an incident record, assign an owner, and classify severity.
2. Contain: Restrict access, isolate affected components, rotate credentials/tokens, and block malicious traffic or workflows.
3. Eradicate: Remove root cause (code/configuration vulnerability, compromised credential, misconfiguration).
4. Recover: Restore normal operation with heightened monitoring and validation.
5. Review: Complete root cause analysis, corrective actions, and evidence package.

Notification and communication

• Customer communication channels: direct email notifications to affected customers
• Internal communication channels: internal incident coordination channel and internal email updates
• Status page: not currently used as a primary incident communication channel

For confirmed personal data breaches, GoSmarter targets customer notification within 72 hours of confirmation.

For confirmed personal data breaches that meet UK GDPR notification thresholds, GoSmarter targets regulator notification within 72 hours of becoming aware.

Regulatory escalation (UK GDPR / ICO)

GoSmarter assesses each confirmed personal data breach for regulatory notification requirements. Where UK GDPR thresholds are met, notification to the UK ICO is prepared without undue delay and, where applicable, within 72 hours of becoming aware.

The Incident Owner approves regulator escalation and coordinates final submission with leadership/legal review.

Evidence and retention

• Standard operational telemetry retention is 30 days in Log Analytics unless configured otherwise
• Incident-specific evidence (exported logs, timelines, decisions, customer communications, corrective actions) is retained for 24 months
• Evidence is stored in controlled-access repositories for audit support

Incident notification

GoSmarter operates a documented incident response process with defined severity levels, ownership, escalation, and communication expectations.

For confirmed personal data breaches, we target customer notification within 72 hours of confirmation. Where legal thresholds are met, we escalate for regulator notification in line with UK GDPR requirements.

Customer incident communications are sent via direct email.

Post-incident

For High and Critical incidents, GoSmarter performs a post-incident review that includes:

• timeline of events and response decisions
• root cause analysis
• impact assessment (customers, data, services)
• corrective and preventive actions with owners and target dates
• customer-facing summary where relevant

Post-incident actions are tracked to completion.

Testing and continual improvement

• Incident response tabletop exercise cadence: yearly minimum
• Lessons learned are incorporated into runbooks, monitoring, and preventive controls
• Material updates to the response process are reflected in this trust centre documentation

Alignment to common standards

This process is designed to align with common expectations from:

• ISO 27001 incident management control areas (policy, reporting, assessment, response, and learning)
• Cyber Essentials themes of secure configuration, access control, malware protection, and monitoring-based response

Key points for your security team

• SQL auditing enabled: Audit groups track authentication, permissions, schema changes, and data access
• Defender for SQL in production: Active threat detection for SQL injection and anomalous access
• Application-level monitoring: Full telemetry via Application Insights
• Incident evidence retention: 24 months for case evidence and investigation artifacts
• Incident notification target: 72 hours from confirmed personal data breach

Request evidence

If you need details on our incident response procedures for your security assessment, please contact us directly.

Email us, contact us online, or book a compliance call.

The GoSmarter web application is a single-page application (SPA) and we apply several layers of browser-level security to protect you whilst you use it.

Content Security Policy (CSP)

We enforce a Content Security Policy that restricts what the browser can load and execute:

The two allowlisted script sources are product experience tools:

• Supademo (script.supademo.com) for interactive in-app guides
• Frill (widget.frill.co) for product feedback and communication widgets

No advertising scripts are loaded from the frontend shell.

Token storage

Authentication tokens are stored in sessionStorage, not localStorage:

• Tokens are cleared when the browser tab is closed
• Tokens are not accessible across tabs (unlike localStorage)
• No authentication cookies are used
• PII logging is explicitly disabled in the authentication library

Source maps

Production builds do not include source maps. This prevents exposing application structure and logic through browser developer tools.

API route protection

The Static Web App configuration requires an authenticated role for all /api/* routes. Unauthenticated requests to API endpoints receive a 401 response and are redirected to the login page.

Supply chain security

• Dependency scanning: Dependabot monitors all frontend dependencies for known vulnerabilities
• Dependency review: Pull requests are automatically checked for high/critical CVEs and copyleft license violations
• No hardcoded secrets: No API keys, tokens, or credentials in the frontend source code

Key points for your security team

• CSP enforced: Strict Content Security Policy limiting script execution to self + 2 named vendors
• Named script allowlist: Supademo (script.supademo.com) and Frill (widget.frill.co) only
• sessionStorage tokens: Cleared on tab close, not persisted across sessions
• No PII logging: Disabled in the authentication library configuration
• No source maps in production: Application internals not exposed
• Authenticated API routes: Enforced at the Static Web App platform level
• Automated dependency scanning: Dependabot + dependency review on every PR
• CORS policy: API cross-origin access is restricted to configured origins
• HSTS: HSTS headers are set to enforce HTTPS connections to the frontend

Request evidence

Email us, contact us online, or book a compliance call.

GoSmarter uses Microsoft Entra External ID for all authentication. People sign in through GoSmarter’s own identity tenant. We don’t store passwords.

How people authenticate

• Sign in via Microsoft Entra External ID: GoSmarter’s customer identity platform
• Supported sign-in methods: organisational Entra ID account, personal Microsoft account, or email one-time passcode
• When people use their Entra ID, any Multi Factor Authentication (MFA) and password policies from their home tenant apply
• Session tokens are stored in the browser’s sessionStorage (cleared when the tab closes), not in localStorage or cookies

How we keep data from companies separate

Every API request is scoped to a specific company. The system enforces this at multiple levels:

1. URL-level scoping: All customer API routes include a company identifier in the URL path
2. User membership validation: The API validates that the authenticated user has been granted access to the target company
3. Data query enforcement: All database queries are automatically filtered by the company identifier, ensuring users can only access data belonging to their company
4. Request rejection: If a user attempts to access a company they don’t belong to, the API rejects the request with a 403 Forbidden response

This means a user in Company A cannot access Company B’s data, even if they have a valid authentication token.

Data is logically separated by company, and access is strictly controlled through Entra ID. This ensures strong tenant isolation on every API request.

How our systems talk to each other securely

Within our internal systems, every component has it’s own unique identity that it uses to connect to other components. Every componenent it given explicit permissions on wwhat it can do for each component it needs to touch. This means we apply a principle of least privilege and reduce the risk of API keys or passwords being breached and making parts of the system accessible.

For details on how managed identity is used in AI services specifically, see AI Security.

Administrative access

• Database: Administrative access uses Entra ID security groups and is restricted to authorised team members only. No database credentials are stored in code or configuration.
• CI/CD: Deployment pipelines use short-lived identity tokens. No long-lived deployment secrets are stored.

Key points for your security team

• No GoSmarter passwords: Authentication is handled by Microsoft Entra External ID. Users can sign in with an organisational Entra ID account, personal Microsoft account, or email one-time passcode.
• MFA support: Can be enforced by you
• Tenant isolation enforced on every request: Company GUID validated against user group claims on every API call
• Managed identity throughout: No static API keys or connection strings in application code
• RBAC least-privilege: Each service identity has only the permissions it needs
• Short-lived deployment tokens: No long-lived deployment secrets are stored

Request evidence

Email us, contact us online, or book a compliance call.

GoSmarter uses AI to classify and extract data from mill certificates. Here’s exactly what happens, where your data goes, and what protections are in place.

What AI does in GoSmarter

Mill certificates are used to train our models but never Microsoft’s

We operate a continuously learning system where the AI models are regularly retrained on new data to improve accuracy. When you provide suppliers we haven’t seen before or make edits to the extracted data, this feedback is used to enhance our models. The certificates are only used to help us identify a supplier and work out how to extract information from that supplier’s certificates. There is no way your certificates or the data associated with themcan be shown to other customers.

Microsoft’s AI data processing commitments

Microsoft’s AI services operate under their data, privacy, and security commitments for Azure AI:

• Your data is not used to train, retrain, or improve Microsoft AI models
• Your data is not available to other customers
• Processing is covered by Microsoft’s standard Data Processing Agreement

How we process a certificate

Every uploaded document is first scanned for malware by Microsoft Defender for Storage before any steps are taken to prevent malicious content from being processed.

The certificate is then processed with our custom computer vision model service, identifying the document type and supplier and returning a confidence score. GoSmarter deletes any temporary files generated during this process immediately after processing. No files leaves the UK during classification.

Once a supplier has been identified, the document is sent to a custom computer vision model designed specifically to process that supplier’s certificates. This model extracts structured data such as chemical composition, mechanical properties, and certificate numbers. This processing happens in Sweden Central (EU) because Azure Content Understanding is not yet available in UK South. However, the service is stateless and encrypted in transit, and no customer data is persisted in Sweden after processing. No files remain outside the UK after extraction.

Why Sweden? Azure Content Understanding is not yet available in UK South. Sweden Central is within the EU, covered by the UK GDPR adequacy framework. The service is stateless; no customer data is persisted in Sweden.

The extracted data is then stored in our database in UK South, and the original certificate file is kept in UK South.

Cutting optimisation: no AI involved

The cutting optimisation service is a pure algorithmic solver using heuristic and genetic algorithm techniques. It:

• Runs entirely within your deployment in UK South
• Makes no external AI or API calls
• Reads order and inventory data from the database
• Calculates optimal cutting patterns to minimise waste
• Writes results back to the database

How AI services authenticate

All AI services use managed identity as the primary authentication method. This means:

• No API keys stored in application code or configuration files
• Credentials are managed by the Azure platform
• Each service has its own identity with minimum required permissions
• Access is granted through Azure role-based access control (RBAC)

Isolation and scaling

Each AI processing job runs as an isolated processing service that:

• Starts when a document arrives, stops when processing is complete
• Scales to zero when not in use, so no resources are consumed and no data is stored when there are no documents to process
• Has no shared state between processing runs
• Cannot access other customers’ data (tenant isolation enforced at the API layer)

Key points for your security team

• Model training with your data: We use your data to continuously improve our models, but this data is never shared with Microsoft or other customers. It is only used to enhance our ability to classify and extract data from mill certificates.
• UK processing for classification: Document Intelligence runs in UK South
• EU processing for extraction: Content Understanding runs in Sweden Central (stateless, encrypted in transit)
• No AI in optimisation: Cutting solver is pure algorithm with no external calls
• Managed identity authentication: No static API keys in service configuration
• Ephemeral processing: Containers scale to zero; temporary files deleted after each document
• Malware gate: Every uploaded document is scanned by Defender for Storage before classification. Documents only proceed if the scan returns clean.

Request evidence

Need more detail about our AI data handling?

• Details of AI processing activities and data flows
• Microsoft’s AI data processing commitments
• Our Data Processing Agreement (DPA)

Email us, contact us online, or book a compliance call.

All customer data in GoSmarter is encrypted: both when stored and when moving between services. Encryption is enforced at the platform level and cannot be bypassed.

Encryption in transit

All network communication uses TLS 1.2 or higher. This is enforced on every service:

Traffic between Azure services within the same region travels over Microsoft’s backbone network, encrypted in transit.

AI processing traffic: When mill certificates are sent to AI services in Sweden Central, the data travels over TLS-encrypted connections between Azure datacentres.

Encryption at rest

All data at rest is encrypted with AES-256:

Key management

Encryption keys are managed by Microsoft (platform-managed keys). This means:

• Keys are automatically rotated by the Azure platform
• Keys are stored in Microsoft-managed hardware security modules
• No manual key management is required

We do not currently offer customer-managed keys (BYOK/CMK). All encryption uses platform-managed keys.

Key points for your security team

• TLS 1.2 minimum: Enforced on all services: database, storage, messaging, API, AI
• AES-256 at rest: All persistent storage encrypted with AES-256
• HTTPS only: HTTP connections rejected on storage and API ingress
• Platform-managed keys: Automatically rotated by Azure
• No BYOK/CMK: Customer-managed keys are not currently available

Request evidence

Email us, contact us online, or book a compliance call.

GoSmarter runs entirely on Microsoft Azure, using managed platform services in the UK and EU. We don’t operate our own datacentres or bare-metal servers.

Platform summary

GoSmarter is delivered on managed Azure services with:

• Container-based application hosting
• Managed SQL database and storage
• Managed message processing for workflows
• Centralised secrets management
• Platform monitoring and audit logging

Primary hosting for persistent services is in UK South, with selected supporting services in EU regions where required for capability and resilience.

See AI Security for a high-level summary of AI processing boundaries.

Key points for your security team

• Managed Azure platform: No self-managed datacentre infrastructure
• UK-first hosting model: Core persistent workloads hosted in UK South
• Isolated processing model: Application and processing workloads are separated
• Security controls in place: Encryption, access control, monitoring, and auditing are applied as standard

Detailed information under NDA

To reduce unnecessary public exposure, this page provides a high-level overview only.

Deeper technical and assurance material is available under NDA, including:

• Detailed architecture and network diagrams
• Environment and regional deployment specifics
• Security control implementation details
• Monitoring, logging, and incident response evidence
• Penetration testing and assurance artefacts (where shareable)

Request evidence

Email us, contact us online, or book a compliance call to request the NDA pack.

All customer data in GoSmarter is stored in the United Kingdom. A single processing step runs in the EU (Sweden). No customer data is stored or processed outside these regions.

Where your data lives

About the EU processing step

Our document extraction service runs in Sweden Central, an EU region. This is because Azure Content Understanding, the AI service we use for structured data extraction, is not yet available in UK South.

What this means for your data:

• Document pages are sent to Sweden Central for processing, then results are returned and stored in UK South
• No customer data is persisted in Sweden: the service is stateless
• The transfer is encrypted in transit (TLS 1.2+) between Azure datacentres
• Sweden is within the UK GDPR adequacy framework, meaning UK data protection law recognises EU member states as providing adequate protection

Can I choose a different region?

No. GoSmarter is a single-region deployment. All customers’ persistent data is stored in UK South. We do not offer region selection or data migration to alternative regions.

US jurisdiction and the CLOUD Act

All GoSmarter data at rest is stored in Microsoft Azure datacentres in the UK and EU. Microsoft publishes transparency reports on government data requests and has committed to challenging requests that conflict with local data protection laws.

For additional detail on how Microsoft handles cross-border data requests, see:

• Microsoft EU Data Boundary: Microsoft’s commitment to storing and processing EU/UK customer data within the EU Data Boundary
• Microsoft Law Enforcement Requests Report

Backup and redundancy

Database backups and blob storage use locally redundant storage (LRS) within UK South. Data is replicated across multiple storage units within the same datacentre region. We do not currently offer geo-redundant backup or cross-region replication.

Key points for your security team

• Persistent data: UK South only (database, files, secrets, messaging)
• Transient processing: Sweden Central (EU) for document extraction: stateless, encrypted in transit
• Static assets: West Europe (EU): application code only, no customer data
• No US storage or processing: All data at rest is in UK/EU Azure regions
• Single-region deployment: No customer-selectable regions
• Encryption in transit: TLS 1.2 minimum enforced on all services

Request evidence

Need more detail for your compliance review? We can provide:

• Confirmation of Azure region deployment
• Details of data processing activities under GDPR
• Our Data Processing Agreement (DPA)

Email us, contact us online, or book a compliance call.

GoSmarter is built on Microsoft Azure and designed around a simple principle: keep customer data protected through layered controls, clear accountability, and transparent assurance.

This trust centre provides a high-level summary of our security and privacy approach. Detailed technical and assurance material is available on request under NDA.

At a glance

• Data residency: Core persistent data is hosted in the UK, with selected processing in EU regions where required.
• Identity and access: Authentication and authorisation controls are enforced across the platform.
• Encryption: Data is protected in transit and at rest using standard Azure controls.
• AI data handling: Customer data is not used to train provider AI models.
• Security operations: Monitoring, logging, and incident response processes are in place.

Topics

• Data Residency: Where your data is stored and processed
• AI Security: How AI processes your documents and protects your data
• Hosting & Infrastructure: The Azure platform and services we run on
• Encryption: How data is encrypted at rest and in transit
• Access Control: Identity, authentication, and authorisation
• Frontend Security: Browser-level security controls
• Incident Response: How we handle security incidents
• Privacy & Data Protection: GDPR and data processing practices
• Certifications & Attestations: Standards and how to request evidence
• Compliance Standards: Key standards we align with and how they apply
• FAQ: Common security questions from buyers

Request evidence

We’re happy to support your security review process. We can provide:

• A security and compliance overview pack
• Data Processing Agreement (DPA) information
• Relevant Azure certification and assurance references
• Additional technical detail under mutual NDA
• A compliance call with our team

Email us, contact us online, or book a compliance call to request the NDA pack.