Trust is not a feature. It is the product.
GovIQ helps public bodies make procurement decisions that have to survive audit, challenge and Tribunal review. The platform is built on an immutable audit chain, EEA-resident infrastructure and an ISO 27001 management system on a dated path to certification.
Dated, not aspirational.
| Standard | Status | Target |
|---|---|---|
| ISO/IEC 27001:2022 | Implementation in progress | Stage 2 audit Oct 2026; certificate 15 Nov 2026 |
| GDPR / Data Protection Act 2018 | Compliant | Ongoing — annual review |
| EU AI Act (Reg. 2024/1689) | Limited-risk classification, annual review | Ongoing |
| NIS2 alignment (via healthcare sector) | Overlay in development | Position statement Q4 2026 |
How we protect data.
Identity & access
Microsoft Entra ID SSO with mandatory MFA and Conditional Access; role-based permissions; quarterly access reviews.
Encryption
TLS 1.3 in transit; AES-256 at rest; HSM-backed key management inherited from EEA sub-processors.
Tenant isolation
Multi-tenant by design with application-layer enforcement, covered by automated tests on every change.
Immutable audit chain
Every state change recorded in a tenant-scoped SHA-256 chained log; chain integrity verified on a schedule.
Backups & DR
Daily encrypted snapshots, 90-day retention; RTO ≤ 4h, RPO ≤ 1h with recurring restore drills.
EEA data residency
A deliberately small sub-processor list, EEA-resident by default, each under a signed DPA.
Evidence for your due diligence.
The full sub-processor list, certification roadmap, incident-response process and vulnerability-disclosure policy live in the trust centre. The Trust Profile PDF, Anthropic position brief and ISO evidence packs are available under NDA — email privacy@goviq.ie. We acknowledge security reports within one working day.