Trust & Security · Procurement-grade evidence

Trust isn't claimed.
It's observed.

Buyer evidence for procurement, technical assurance and operational confidence. Encryption posture. ISO 27001 in flight. Cyber Essentials held. SOC 2 Type II on the roadmap. Sub-processors published. Audit ledger hash-chained.

Cyber Essentials · held ISO 27001 · in flight SOC 2 · roadmap ECCIRA-aligned

§ Trust posture · six pillars

Six trust surfaces. Procurement-ready.

From encryption posture through to operational security, every Allodis trust commitment is documented, evidence-backed and reviewable by a procurement team.

● Current

ENC

Encryption posture

Encryption in transit and at rest, protected keys, tenant isolation and controlled access.

TLS 1.3 for all endpoints
AES-256 at rest (Azure SSE)
Key Vault HSM for signing keys
Tenant-per-database isolation

● In flight

ISO

ISO 27001

Trust Center evidence, certification status, control summary and procurement pack.

ISMS scope: Allodis platform & ops
Stage 1 audit complete
Stage 2 scheduled
Control mapping on request

● Published

SUB

Sub-processors

Transparent sub-processor list, DPA, change notification and data residency overview.

Azure (UK South primary, UK West DR)
MongoDB Atlas (Azure-hosted)
Stripe (PCI DSS Level 1)
SendGrid (email delivery)

● Architecture

ARC

Architecture security

Defence in depth with network segmentation, WAF, DDoS protection and immutable audit logging.

Azure Front Door with WAF rules
Private endpoints · database access
Application Insights · real-time monitoring
Immutable audit trail · hash chain

● Operational

OPS

Operational security

RBAC, MFA enforcement, step-up authentication for sensitive operations and comprehensive audit.

OIDC / OAuth 2.0 with PKCE
Role-based access (12 roles)
MFA enforcement · all admin ops
Idle & absolute session timeout

● On request

PAK

Trust Pack

DPA, sub-processors, certification summary, security overview and data residency brief — for procurement teams.

Data Processing Agreement
Certification summary & evidence
Security overview document
Data residency brief · per tenant

§ Certification roadmap

Where we are. Where we're going.

Published live. Updated quarterly. Every certification carries a status, a scope and a target date — there are no surprises.

Cyber EssentialsPlus · UK NCSC Renewed annually. Scope: Allodis platform, operations and corporate infrastructure. ● Certified · current

ISO 27001:2022 · ISMS Stage 1 audit complete. Stage 2 scheduled. Certificate target: Q3 2026. ● In flight

SOC 2 Type IIAICPA · TSC 2017 Type I observation period in progress. Type II report target: H1 2027. ● In flight

ECCIRACIP compliance September 2025 regime alignment. Identity evidence packs aligned to CIP-eligible jurisdictions. ● Aligned

GDPR / UK GDPRDPA controller DPA template published. UK ICO registration current. SCCs available for cross-border transfers. ● Documented

FedRAMP ModerateUS federal Not on the immediate roadmap. UKOT/FCDO programmes use ICO standards instead. ○ Out of scope

§ Sub-processors

Five sub-processors. One residency story.

Every sub-processor is named, scoped, geolocated and certificated. Changes are notified to all tenants with a 30-day window before they take effect.

Sub-processor	Purpose	Region	Certifications
AZMicrosoft Azure	Compute, storage, networking, identity, key vault	UK South · UK West (DR)	ISO 27001 · SOC 2 · FedRAMP
MAMongoDB Atlas	Primary tenant database · Azure-hosted	UK South (via Azure)	ISO 27001 · SOC 2 Type II
STStripe	Payment processing · certified-search billing	EU + US · routed by tenant	PCI DSS Level 1 · SOC 2
SGSendGrid (Twilio)	Transactional email · status notifications	EU · GDPR controller	ISO 27001 · SOC 2
AIAzure Application Insights	Observability · traces, logs, metrics	UK South (with Azure)	ISO 27001 · SOC 2

Request the Trust Pack

Procurement needs evidence, not promises.

Request Trust Pack → Read security docs

DPA · sub-processors · certifications · residency brief · Delivered within 24h to qualified buyers