Security & trust

Trust is not a feature. It is the product.

GovIQ helps public bodies make procurement decisions that have to survive audit, challenge and Tribunal review. The platform is built on an immutable audit chain, EEA-resident infrastructure and an ISO 27001 management system on a dated path to certification.

Certification roadmap

Dated, not aspirational.

StandardStatusTarget
ISO/IEC 27001:2022Implementation in progressStage 2 audit Oct 2026; certificate 15 Nov 2026
GDPR / Data Protection Act 2018CompliantOngoing — annual review
EU AI Act (Reg. 2024/1689)Limited-risk classification, annual reviewOngoing
NIS2 alignment (via healthcare sector)Overlay in developmentPosition statement Q4 2026
Security posture

How we protect data.

Identity & access

Microsoft Entra ID SSO with mandatory MFA and Conditional Access; role-based permissions; quarterly access reviews.

Encryption

TLS 1.3 in transit; AES-256 at rest; HSM-backed key management inherited from EEA sub-processors.

Tenant isolation

Multi-tenant by design with application-layer enforcement, covered by automated tests on every change.

Immutable audit chain

Every state change recorded in a tenant-scoped SHA-256 chained log; chain integrity verified on a schedule.

Backups & DR

Daily encrypted snapshots, 90-day retention; RTO ≤ 4h, RPO ≤ 1h with recurring restore drills.

EEA data residency

A deliberately small sub-processor list, EEA-resident by default, each under a signed DPA.

Documents on request

Evidence for your due diligence.

The full sub-processor list, certification roadmap, incident-response process and vulnerability-disclosure policy live in the trust centre. The Trust Profile PDF, Anthropic position brief and ISO evidence packs are available under NDA — email privacy@goviq.ie. We acknowledge security reports within one working day.

Get started

Do your due diligence before you commit.