Security & trust

Built for the buyer
who reads the security questionnaire first.

Every page below has a one-line answer for your security review and a footnote on how to verify it. SIG Lite, SIG Core and CAIQ responses available on request within 5 working days.

Certifications & assurance

What's certified, what's in flight, what's next.

Colour-coded so your procurement team can tick the green ones today and know exactly when the amber ones land.

Certified In audit Roadmap

Live
Cyber Essentials Plus
Certified
Live
GDPR / UK Data Protection Act 2018
Compliant · DPA available
Live
NHS DSPT
Standards Met
In audit
ISO 27001
Audit underway · expected Q3 2026
Roadmap
BS 8484 (lone-worker device)
On roadmap — 2026
Roadmap
SOC 2 Type II
On roadmap — 2027

How we protect your data

Eight pillars of our security posture.

Each pillar maps to a clause in our DPA and to the controls catalog in our ISO 27001 SoA. Click through to verify any of them.

Data in flight & at rest

Encryption

TLS 1.3 in transit. AES-256 at rest, customer-managed keys via AWS KMS on Enterprise. Backups encrypted; passphrase escrow for break-glass recovery.

Infrastructure

Hosting & data residency

UK-only by default — AWS eu-west-2 (London), two availability zones. EU-only or on-prem available for Enterprise. No customer data ever leaves the chosen jurisdiction.

Access control

Multi-tenant isolation & access

Row-level isolation by tenant_id on every table. Enforced at the API guard layer before queries reach the database — no SQL injection can ever cross tenants. SSO + SAML + MFA on Enterprise. Externally pen-tested annually.

Evidence trail

Audit & retention

Every action signed and timestamped. 90 days on Starter, 365 days on Pro, indefinite + WORM on Enterprise. Exports to PDF, CSV, JSON for inspections.

Always-on

Resilience & BCDR

99.9% SLA on Starter / Pro · 99.95% on Enterprise. Multi-AZ failover, hourly DB snapshots, quarterly restore drills. Live status at status.vygard.com. SLA credit if missed.

Disclosure

Vulnerability disclosure

security.txt + a published responsible-disclosure policy. Bug-bounty for critical paths. Patch SLAs: critical < 24h, high < 7 days, medium < 30 days. Customers paged in advance for any window over 2 mins.

Privacy by default

Worker privacy

Location only ingested while clocked on. 90-day raw retention then aggregated. Workers can request deletion under GDPR Article 17. Configurable per-sector opt-out policy.

Transparency

Sub-processors

Full register in DPA Schedule B — AWS (hosting), Twilio (SMS / WhatsApp / voice), Stripe (billing), Anthropic (Claude inference, no PII), SendGrid (email). 30-day notice on any change.

Documents on request

Procurement-ready paperwork.

The DPA is published in full. Everything else is one email away — most under 5 working days. NDAs available on request.

Published in full

Data Processing Agreement (DPA)

UK GDPR Article 28 aligned, with the current sub-processor list, TOMs, and transfer-mechanism schedule. Read in full on the public page, then request a countersigned PDF.

Read the DPA

Data Protection Impact Assessment
DPIA template — fill once, reuse per workflow.
DOC
Information Security Policy
Executive summary of the full ISMS.
PDF
Business Continuity Plan
RTO / RPO, failover drill log, last-quarter restore evidence.
PDF
Pen test executive summary
External, annual. Last 12 months findings + remediation.
PDF
Sub-processor register
Published in DPA Schedule B. Always current.
CSV
Cyber insurance certificate
£5m aggregate cover. Renewed annually.
PDF
Acceptable Use Policy
Customer-facing, signed at onboarding.
PDF
SIG Lite / SIG Core / CAIQ responses
Returned inside 5 working days.
JSON

Email security@vygard.com with your company name + the docs you need. Replies within 24 hours; full pack inside 5 working days.

Need anything else for your security review?

security@vygard.com — we reply within 24 hours. Or book a 30-min call with our DPO.

Try the live demo Book a 30-min call

Built for the buyerwho reads the security questionnaire first.