Security & compliance
UK-domiciled by default. Audit-ready by design.
The posture the UK mid-market needs to procure, signed off in writing, with no transatlantic data path.
- UK data residency at AWS London region (eu-west-2). All customer data stored within the UK.
- Off-region backups to AWS Ireland (eu-west-1) only. No transfers outside the UK / EEA.
- Encryption at rest using AWS KMS-managed keys. Encryption in transit using TLS 1.2+.
- Role-based access control with least-privilege defaults.
- Multi-factor authentication required for all AdoptIQ employee access.
- Audit logs retained for 7 years.
- Quarterly external penetration testing from Year 2.
- ISO 27001 alignment from launch; formal certification by end of Year 2.
- GDPR / UK GDPR compliance: AdoptIQ acts as Data Processor for customer personal data. DPA executed with every customer.
- Cyber Essentials certification by end of Year 1. Cyber Essentials Plus by end of Year 2.
A DPA is executed with every AdoptIQ customer.
AdoptIQ acts as Data Processor for customer personal data under UK GDPR. The DPA, sub-processor list and retention schedule are available on request as part of the procurement pack.