GOVIQ-TRUST-002 · v0.1 (DRAFT)
Trust at GovIQ
GovIQ helps Irish public bodies make better procurement decisions. Trust is not a feature for us — it is the product. This page tells you, in plain English, how we earn that trust: who we are, who we work with, how we protect data, and how to engage with us when something matters.
This page is live. The information below reflects the current state of GovIQ. Where something is in progress, we say so and we give you the target date.
- Last meaningful update
- Next review
- Quarterly — alongside Management Review
- Privacy / GDPR
- privacy@goviq.ie
- Security disclosure
- security@goviq.ie
1.Where we are on our certification roadmap
| Standard | Status | Target |
|---|---|---|
| ISO/IEC 27001:2022 | Implementation in progress | Stage 2 audit October 2026; certificate target 15 November 2026 |
| NIS2 alignment (essential-entity supplier through HSE) | Overlay in development | Position statement Q4 2026 |
| EU AI Act (Regulation (EU) 2024/1689) | Limited-risk classification for current AI features; annual review | Ongoing |
| GDPR / Data Protection Act 2018 | Compliant | Ongoing — annual policy review |
If you are evaluating GovIQ before our ISO certificate issues, ask us for the Trust Profile PDF (privacy@goviq.ie). It walks through the current state of every Annex A control we will be audited against.
2.Who runs security at GovIQ
| Role | Person |
|---|---|
| CEO + acting CISO + Data Protection Lead | Liam McDonagh |
| Non-Executive Director + ISMS Sponsor | Gavin Hand — CIO-level background in regulated-sector transformation (ISO, GDPR, SOX, TISAX) |
| External lead auditor (when engaged) | CREST / IRCA-certified contractor |
| Certification body (when engaged) | NSAI, BSI, LRQA, or DNV |
| External penetration tester (annual) | CREST/CHECK-certified Irish firm |
Top management commitment to information security is signed by the CEO and ratified by the NED. Quarterly Management Reviews cover ISMS performance, audit results, incident response, and improvement actions.
3.Our sub-processors
We deliberately keep this list small. Each entry is a sub-processor we have signed a Data Processing Agreement (DPA) with, and each has its own security certifications in place.
| Sub-processor | Service | Data residency |
|---|---|---|
| Microsoft Ireland | Identity (Entra ID), email, calendar | Ireland (EEA) — ISO 27001 + 27017 + 27018 + SOC 2 |
| Convex Inc. | Backend platform (datastore, functions, scheduling) | AWS eu-west-1 (Ireland — EEA) — SOC 2 Type II |
| Vercel Inc. | Frontend hosting, CDN | EEA (Frankfurt) + global edge — SOC 2 Type II + ISO 27001 |
| Resend | Transactional email | EEA — SOC 2 (in progress / confirmed per evidence cycle) |
| Anthropic | AI inference (Claude API) for limited-risk product features | EEA endpoint where available; otherwise US under SCCs — see Anthropic position brief |
| Cloudflare | DNS | Global — SOC 2 + ISO 27001 + ISO 27018 |
| GitHub (Microsoft) | Source code (no customer data) | US + EEA replication — SOC 2 + ISO 27001 |
We give customers prior notice of any change to this list per our DPA, with a documented objection window.
A specific position brief on our use of Anthropic (Claude API) — covering zero-retention status, the data lifecycle on a single call, contractual safeguards, EU AI Act classification, and the customer override mechanism — is available on request to privacy@goviq.ie.
4.Data protection
We hold ourselves to the GDPR and the Data Protection Act 2018, and we publish:
- A full Privacy Policy covering what data we collect, why, how long we keep it, and how to exercise your rights
- A Cookie Policy — minimal cookies, no marketing tracking, consent for any non-essential cookie
- A Record of Processing Activities (ROPA) maintained on both controller and processor sides, internally
- DPIAs for any feature that materially processes personal data — completed for our HSE pilot
- A personal data breach response process — within 72 hours notification to the Data Protection Commission where there is risk to data subjects, and within the HSE-DPA timing window for HSE-related incidents
Your rights under GDPR are at goviq.ie/privacy §8. To exercise any of them, email privacy@goviq.ie. Response within one month, no fee.
5.How we protect data — security posture
| Area | What we do |
|---|---|
| Identity & access | Microsoft Entra ID SSO with mandatory MFA and Conditional Access; role-based permissions in the platform; quarterly access reviews; documented joiner / mover / leaver flow |
| Encryption | TLS 1.3 in transit; AES-256 at rest (inherited from Convex / AWS / Vercel); key management by sub-processors with HSM-backed services |
| Tenant isolation | Multi-tenant by design with application-layer enforcement, covered by automated tests on every PR |
| Audit trail | Every state change in the platform is recorded in an immutable SHA-256 chained audit log; chain integrity is verified on a recurring schedule |
| Backups | Daily encrypted snapshots, 90-day rolling retention; quarterly restore drills from Q3 2026 |
| Disaster recovery | RTO ≤ 4 hours, RPO ≤ 1 hour; first formal drill 2026-06-09; recurring quarterly |
| Vulnerability management | Dependabot, npm audit, patch SLAs per published policy; CVEs in stack are tracked and patched on schedule |
| Penetration testing | Annual CREST-certified test; first test September 2026; report and attestation available to customers under NDA |
| Endpoint security | Microsoft Intune MDM enrolment for every endpoint (rolling out Sprint 7 — September 2026) |
| Logging & monitoring | SIEM ingestion of audit and sign-in events (rolling out Sprint 7) |
| AI governance | Our AI Acceptable Use & Governance Policy covers both internal staff use and product features; EU AI Act tracking is ongoing |
6.Incident response
If something goes wrong, here is what happens:
- We detect, internally or via your report
- We acknowledge the report and triage within hours
- We contain the incident
- We notify affected customers per their DPA timing — for HSE, within the contractually defined window
- We notify regulators where required (the DPC for personal data breaches, sectoral regulators as applicable)
- We eradicate the root cause and recover
- We run a post-incident review and update controls and policies
- We publish material lessons learned (without disclosing customer-specific detail) at the next Management Review
The full plan is in our Incident Response Policy (available on request under NDA).
7.Responsible vulnerability disclosure
If you've found a security issue with goviq.ie or the GovIQ platform, please tell us in confidence:
What to expect
- Acknowledgement within 1 working day
- Triage and initial response within 5 working days
- Coordinated disclosure timeline agreed with you
- Public credit if you would like it
- No legal action against good-faith researchers operating within scope
Out of scope: denial-of-service, social engineering of GovIQ personnel, physical attacks, attacks against third-party services (Microsoft, Convex, Vercel, etc.).
PGP key available on request.
8.How to ask us things
| You want to | Where to go |
|---|---|
| Read our privacy policy | goviq.ie/privacy |
| Read our cookie policy | goviq.ie/cookies |
| Ask a privacy / GDPR question | privacy@goviq.ie |
| Report a security vulnerability | security@goviq.ie |
| Receive our Trust Profile PDF | privacy@goviq.ie |
| Receive the Anthropic Position Brief | privacy@goviq.ie |
| Receive our SOC 2 (when held), ISO 27001 cert, or sub-processor evidence — under NDA | liam@goviq.ie |
| Discuss customer-specific feature opt-out or DPA amendment | liam@goviq.ie |
| Sales or product enquiries | info@goviq.ie |
| Lodge a complaint with the supervisory authority | Data Protection Commission (Ireland): dataprotection.ie |