# Compliance Standards

> How GoSmarter aligns with SOC 2, ISO 27001, GDPR, and other compliance frameworks - what applies and what we can demonstrate.

**URL:** https://www.gosmarter.ai/docs/content/compliance-standards/

**Date:** 0001-01-01

---


## Compliance standards

GoSmarter runs on Microsoft Azure, which is certified against a broad set of compliance frameworks. This page maps the most commonly requested standards to our deployment.

### Standards relevance

| Standard | Relevant? | How GoSmarter aligns |
|----------|-----------|---------------------|
| **GDPR** | Yes | All persistent data in UK South. DPA available. Microsoft sub-processor DPA applies. No AI model training on customer data. See [Privacy](../privacy). |
| **UK GDPR / Data Protection Act 2018** | Yes | UK South data residency. EU processing (Sweden Central) within adequacy framework. See [Data Residency](../data-residency). |
| **SOC 2 Type II** | Azure platform certified | Azure holds SOC 2 Type II. No current plans to attain this. |
| **ISO 27001** | Azure platform certified | Azure holds ISO 27001. Planning to attain GoSmarter application-level certification. |
| **ISO 27017** | Azure platform certified | Cloud-specific security controls — covered by Azure certification. |
| **ISO 27018** | Azure platform certified | PII protection in cloud — covered by Azure certification. |
| **Cyber Essentials Plus** | Azure platform certified | UK government security scheme — Azure is certified. Planning to attain GoSmarter application-level certification. |
| **PCI DSS** | Not applicable | GoSmarter does not process, store, or transmit payment card data. |
| **HIPAA** | Not applicable | GoSmarter does not process protected health information. |
| **CCPA** | Limited relevance | GoSmarter is B2B with minimal personal data. No California consumer data processing. |

### What "Azure platform certified" means

When we say Azure is certified, it means:

- Microsoft has undergone independent third-party audits for the services GoSmarter uses (Azure SQL, Blob Storage, Container Apps, Key Vault, Service Bus, AI services)
- Audit reports are available through the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
- These certifications cover the infrastructure, physical security, and platform-level controls

GoSmarter's application-level controls (authentication, tenant isolation, encryption configuration, AI data handling) are described throughout this trust centre and verified against our infrastructure code.

### GDPR alignment summary

| GDPR requirement | GoSmarter implementation |
|-----------------|------------------------|
| Lawful basis for processing | Contractual necessity — processing to deliver the service |
| Data minimisation | Limited personal data: user accounts, audit logs, and document contents |
| Storage limitation | Data retained for subscription duration; deletion on termination [VERIFY — process] |
| Data subject rights | Access, rectification, erasure supported [VERIFY — specific process] |
| Data protection by design | Encryption at rest and in transit, managed identity, tenant isolation |
| International transfers | UK/EU only — no transfers outside adequacy framework |
| Breach notification | For confirmed personal data breaches, customer notification target is within 72 hours of confirmation. UK GDPR/ICO escalation is assessed and, where required, actioned within applicable statutory timelines. |
| Data Processing Agreement | Available on request [VERIFY — process] |
| Sub-processor disclosure | Microsoft Azure is the primary sub-processor |

### Compliance matrix

For a detailed control-by-control mapping, see the [compliance matrix (CSV)](compliance-matrix.csv).

### Key points for your security team

- **GDPR / UK GDPR**: Fully aligned: UK South residency, DPA available, no international transfers outside adequacy
- **SOC 2 / ISO 27001**: Azure platform certified; GoSmarter has no current SOC 2 attestation plan and is planning application-level ISO 27001 certification
- **Incident response notification target**: 72 hours for confirmed personal data breaches, with UK GDPR/ICO escalation criteria applied
- **Availability target**: 99.99% monthly availability target for the production service
- **PCI DSS / HIPAA**: Not applicable: GoSmarter doesn't handle payment or health data
- **Evidence available**: Azure compliance reports via Service Trust Portal; GoSmarter-specific detail in this trust centre

### Request evidence

[Email us](mailto:talktous@gosmarter.ai), [contact us online](https://gosmarter.ai/contact), or [book a compliance call](https://calendly.com/gosmarter-demo).