Security & Compliance

Security & Compliance overview

GoSmarter is built on Microsoft Azure and designed around a simple principle: keep customer data protected through layered controls, clear accountability, and transparent assurance.

This page is a self-contained overview for IT managers and security reviewers. Each section summarises the key controls and links to a dedicated page for full detail.

Detailed technical and assurance material (architecture diagrams, penetration test outcomes, control evidence) is available on request under NDA.

1. Data residency

All persistent customer data is stored in UK South. One stateless processing step (document extraction) runs in Sweden Central (EU). No customer data is retained there after processing. No data is stored or processed outside the UK/EU.

Sweden Central is within the UK GDPR adequacy framework. Backups are hosted within UK South. GoSmarter is a single-region deployment with no customer-selectable regions at this time.

→ Full details: Data Residency

2. Identity and access control

Authentication is handled entirely by Microsoft Entra External ID. GoSmarter does not store passwords.

• Supported sign-in methods: organisational Entra ID account, personal Microsoft account, or email one-time passcode
• MFA is supported and can be enforced by your organisation
• Session tokens are stored in sessionStorage (cleared on tab close — not in localStorage or cookies)

Every API request is scoped to a company. The platform enforces tenant isolation at four layers: URL scoping, user membership validation, database query filtering, and request rejection (403) if the user doesn’t belong to the target company.

Internal services authenticate to one another using managed identity as the primary auth method in production. No credentials are hardcoded; where connection strings are required they are stored as secrets or configuration, not in application code.

→ Full details: Access Control

3. Encryption

All data is encrypted in transit and at rest. Encryption is enforced at the platform level and cannot be bypassed.

HTTP connections are rejected on storage and API ingress. Customer-managed keys (BYOK/CMK) are not currently available.

→ Full details: Encryption

4. Hosting and infrastructure

GoSmarter runs entirely on managed Microsoft Azure services. We do not operate our own datacentres or bare-metal servers.

• Container-based application hosting
• Managed SQL database and blob storage
• Managed message processing
• Centralised secrets management
• Platform-level monitoring and audit logging

Application and AI processing workloads are separated. Deeper architecture detail (network topology, environment specifics, monitoring evidence) is available under NDA.

→ Full details: Hosting & Infrastructure

5. AI and document processing

GoSmarter uses AI for two document-processing tasks:

Every uploaded document is scanned for malware by Microsoft Defender for Storage before any AI processing begins.

AI data handling commitments:

• Microsoft contractually commits that your data is not used to train, retrain, or improve Microsoft AI models
• GoSmarter uses documents uploaded to the platform to continuously improve our own classification and extraction models (for example, when you add an unseen supplier or correct an extraction). This data is never shared with Microsoft or other customers, it is used only to improve our ability to read documents. See AI Security for the full data-handling explanation.
• AI processing containers are ephemeral, they scale to zero when idle, temporary files are deleted after each document, and there is no shared state between runs

The cutting optimisation service is a pure algorithmic solver. It runs entirely in UK South and makes no external AI or API calls.

→ Full details: AI Security

6. Browser security

The GoSmarter web application enforces browser-level controls:

• Content Security Policy (CSP): Scripts restricted to self plus two named product-experience vendors (Supademo, Frill). No advertising scripts
• sessionStorage tokens: Authentication tokens cleared on tab close; no PII logging in the auth library
• No source maps in production: Application internals not exposed in browser developer tools
• Authenticated API routes: All /api/* routes require authentication at the platform level; unauthenticated requests are blocked by the Static Web App and redirected to the login page
• Automated dependency scanning: Dependabot and dependency review run on every pull request, blocking high/critical CVEs

→ Full details: Frontend Security

7. Incident response

GoSmarter maintains a documented incident response process aligned to ISO 27001 incident management controls and UK Cyber Essentials principles.

Monitoring in place:

• SQL audit logging (authentication, permission changes, schema changes)
• Application telemetry via Azure Application Insights
• Microsoft Defender for SQL (SQL injection, anomalous access patterns)
• Budget and capacity alerts for unusual resource consumption

Response SLAs (summary):

For confirmed personal data breaches: customer notification target is within 72 hours of confirmation. Where UK GDPR notification thresholds are met, regulator (ICO) escalation follows within the same timeline.

Incident evidence is retained for 24 months.

→ Full details: Incident Response

8. Privacy and data protection

GoSmarter is the data processor; you (the customer) are the data controller. Microsoft Azure is the primary sub-processor.

GoSmarter is a B2B platform. Personal data processed is limited to user accounts, audit logs, and names appearing on business documents. No sensitive personal data (health, biometric, financial) is processed.

A Data Processing Agreement (DPA) is available on request. It covers: processing scope and purpose, technical and organisational security measures, sub-processor obligations (Microsoft Azure), data subject rights support, breach notification, and data deletion on contract termination.

Data subject rights (access, rectification, erasure, portability) are supported through the platform or on direct request.

→ Full details: Privacy & Data Protection

9. Compliance standards

“Azure platform certified” means Microsoft has undergone independent third-party audits for the services GoSmarter uses (Azure SQL, Blob Storage, Container Apps, Key Vault, Service Bus, AI services). Audit reports are available through the Microsoft Service Trust Portal.

→ Full details: Compliance Standards · Certifications & Attestations

10. Common questions

A curated set of questions from IT managers and procurement teams (covering data residency, AI, MFA, encryption, and how to get a DPA) is available on the FAQ page.

→ Security FAQ

Request evidence

We support security review processes at every stage. We can provide:

• A security and compliance overview pack
• Data Processing Agreement (DPA)
• Relevant Azure certification and assurance references (SOC 2, ISO 27001, Cyber Essentials)
• Additional technical detail (architecture, controls, penetration test outcomes) under mutual NDA
• A compliance call with our team

Email us, contact us online, or book a compliance call to request the NDA pack.