Compliance Standards
Table of contents Show Hide
Compliance standards
GoSmarter runs on Microsoft Azure, which is certified against a broad set of compliance frameworks. This page maps the most commonly requested standards to our deployment.
Standards relevance
| Standard | Relevant? | How GoSmarter aligns |
|---|---|---|
| GDPR | Yes | All persistent data in UK South. DPA available. Microsoft sub-processor DPA applies. No AI model training on customer data. See Privacy. |
| UK GDPR / Data Protection Act 2018 | Yes | UK South data residency. EU processing (Sweden Central) within adequacy framework. See Data Residency. |
| SOC 2 Type II | Azure platform certified | Azure holds SOC 2 Type II. No current plans to attain this. |
| ISO 27001 | Azure platform certified | Azure holds ISO 27001. Planning to attain GoSmarter application-level certification. |
| ISO 27017 | Azure platform certified | Cloud-specific security controls — covered by Azure certification. |
| ISO 27018 | Azure platform certified | PII protection in cloud — covered by Azure certification. |
| Cyber Essentials Plus | Azure platform certified | UK government security scheme — Azure is certified. Planning to attain GoSmarter application-level certification. |
| PCI DSS | Not applicable | GoSmarter does not process, store, or transmit payment card data. |
| HIPAA | Not applicable | GoSmarter does not process protected health information. |
| CCPA | Limited relevance | GoSmarter is B2B with minimal personal data. No California consumer data processing. |
What “Azure platform certified” means
When we say Azure is certified, it means:
- Microsoft has undergone independent third-party audits for the services GoSmarter uses (Azure SQL, Blob Storage, Container Apps, Key Vault, Service Bus, AI services)
- Audit reports are available through the Microsoft Service Trust Portal
- These certifications cover the infrastructure, physical security, and platform-level controls
GoSmarter’s application-level controls (authentication, tenant isolation, encryption configuration, AI data handling) are described throughout this trust centre and verified against our infrastructure code.
GDPR alignment summary
| GDPR requirement | GoSmarter implementation |
|---|---|
| Lawful basis for processing | Contractual necessity — processing to deliver the service |
| Data minimisation | Limited personal data: user accounts, audit logs, and document contents |
| Storage limitation | Data retained for subscription duration; deletion on termination [VERIFY — process] |
| Data subject rights | Access, rectification, erasure supported [VERIFY — specific process] |
| Data protection by design | Encryption at rest and in transit, managed identity, tenant isolation |
| International transfers | UK/EU only — no transfers outside adequacy framework |
| Breach notification | For confirmed personal data breaches, customer notification target is within 72 hours of confirmation. UK GDPR/ICO escalation is assessed and, where required, actioned within applicable statutory timelines. |
| Data Processing Agreement | Available on request [VERIFY — process] |
| Sub-processor disclosure | Microsoft Azure is the primary sub-processor |
Compliance matrix
For a detailed control-by-control mapping, see the compliance matrix (CSV).
Key points for your security team
- GDPR / UK GDPR: Fully aligned: UK South residency, DPA available, no international transfers outside adequacy
- SOC 2 / ISO 27001: Azure platform certified; GoSmarter has no current SOC 2 attestation plan and is planning application-level ISO 27001 certification
- Incident response notification target: 72 hours for confirmed personal data breaches, with UK GDPR/ICO escalation criteria applied
- Availability target: 99.99% monthly availability target for the production service
- PCI DSS / HIPAA: Not applicable: GoSmarter doesn’t handle payment or health data
- Evidence available: Azure compliance reports via Service Trust Portal; GoSmarter-specific detail in this trust centre