01
ISO/IEC 27001 certification
| Item | Detail |
|---|---|
| Certificate | ISMS.26.007. |
| Standard | ISO/IEC 27001:2022. |
| Certified scope | Provision of IT services, software development, IT audit and assurance, and cybersecurity consulting services. |
| Statement of Applicability | Version 1.0, dated 12 March 2026. |
| Certified location | 232 Strovolou Avenue, 2nd Floor, 2048 Nicosia, Cyprus. |
| Validity | Until 14 April 2029, subject to continued certification and surveillance requirements. |
02
Platform architecture
- Convex serverless backend, database and evidence or file storage in Europe (Ireland).
- Vercel frontend delivery and execution in Paris, France and Frankfurt, Germany.
- Clerk identity, authentication, sessions and MFA.
- Multi-tenant data model with tenant-aware authorisation.
03
Identity and access
- Mandatory MFA for registered Platform users.
- Role-based access and tenant-scoped permissions.
- Need-to-know access for authorised ACTServ personnel.
- Time-limited, auditable advisor access where used.
- Logged restricted super-administrator access.
04
Integrations
- Customer-controlled scopes and permissions.
- Read-only collection where an integration is described as read-only.
- Encrypted storage of integration credentials.
- Sanitisation of integration logs to avoid returning secrets and access tokens.
- Microsoft 365 email sending through Customer’s tenant and designated mailbox.
05
Evidence and external uploads
- Evidence and files are stored in the Convex backend.
- External upload links are limited-purpose, expiring or revocable token links.
- Customer controls recipient selection and secure distribution.
06
Backups and resilience
- Daily production backups.
- Seven-day rolling retention.
- Backups are intended for disaster recovery and not guaranteed record-level recovery.
07
Data minimisation
The Platform is intended to process only information reasonably necessary for configured GRC, audit, compliance and third-party-risk purposes. Customers should not upload secrets or unnecessary sensitive personal data.
08
Security-document requests
Customers and prospective customers may request the ISO/IEC 27001 certificate, an appropriate Statement of Applicability extract, security questionnaire responses and other available assurance information through ACTServ’s trust-assurance request process or their account contact. Sensitive evidence may require confidentiality protections and need-to-know review.
