Skip to content
ACTServ Technology Ltd
Legal
Security

ACTServ GRC Security Overview

High-level security, hosting, access, integration and certification information.

Version 1.0Approved as of 01 January 2026Informational document

ISO/IEC 27001 certification

ItemDetail
CertificateISMS.26.007.
StandardISO/IEC 27001:2022.
Certified scopeProvision of IT services, software development, IT audit and assurance, and cybersecurity consulting services.
Statement of ApplicabilityVersion 1.0, dated 12 March 2026.
Certified location232 Strovolou Avenue, 2nd Floor, 2048 Nicosia, Cyprus.
ValidityUntil 14 April 2029, subject to continued certification and surveillance requirements.

Platform architecture

  • Convex serverless backend, database and evidence or file storage in Europe (Ireland).
  • Vercel frontend delivery and execution in Paris, France and Frankfurt, Germany.
  • Clerk identity, authentication, sessions and MFA.
  • Multi-tenant data model with tenant-aware authorisation.

Identity and access

  • Mandatory MFA for registered Platform users.
  • Role-based access and tenant-scoped permissions.
  • Need-to-know access for authorised ACTServ personnel.
  • Time-limited, auditable advisor access where used.
  • Logged restricted super-administrator access.

Integrations

  • Customer-controlled scopes and permissions.
  • Read-only collection where an integration is described as read-only.
  • Encrypted storage of integration credentials.
  • Sanitisation of integration logs to avoid returning secrets and access tokens.
  • Microsoft 365 email sending through Customer’s tenant and designated mailbox.

Evidence and external uploads

  • Evidence and files are stored in the Convex backend.
  • External upload links are limited-purpose, expiring or revocable token links.
  • Customer controls recipient selection and secure distribution.

Backups and resilience

  • Daily production backups.
  • Seven-day rolling retention.
  • Backups are intended for disaster recovery and not guaranteed record-level recovery.

Data minimisation

The Platform is intended to process only information reasonably necessary for configured GRC, audit, compliance and third-party-risk purposes. Customers should not upload secrets or unnecessary sensitive personal data.

Security-document requests

Customers and prospective customers may request the ISO/IEC 27001 certificate, an appropriate Statement of Applicability extract, security questionnaire responses and other available assurance information through ACTServ’s trust-assurance request process or their account contact. Sensitive evidence may require confidentiality protections and need-to-know review.