Security & assurance

Built for public-sector procurement from day one

Simpriva holds sensitive descriptions of your highest-risk processing. We treat the platform's own compliance as a feature — not a retrofit when a tender appears.

⌖

UK data residency

All data — including backups and telemetry — stays in Azure UK. No data leaves the UK region.

⛉

Per-tenant isolation

Database-per-tenant within a shared application tier, with evidence files in a per-tenant storage container — enabling per-tenant backup, restore and deletion.

⚿

Identity & access

Microsoft Entra ID with mandatory MFA, role-based access enforced server-side, and tenant scoping enforced at the database layer — not only in application code.

⚷

Encryption everywhere

TLS 1.2+ in transit and encryption at rest. Secrets held in Key Vault; file uploads are type-restricted, size-limited and malware-scanned.

≡

Append-only audit

Logins, role changes, answer changes, status transitions, approvals, evidence decisions and config changes — clock-synced, exportable, with no update or delete path.

⤢

Exit & deletion

Per-tenant export and deletion designed in from the start — because offboarding is a procurement question, not an afterthought.

Assurance roadmap

Cheap now, expensive later — so we start now

Cyber Essentials → Cyber Essentials Plus

The baseline UK public-sector buyers expect, with the Plus assessment on the path to first paying customer.

Independent penetration test

Conducted before the first paying customer, with remediation tracked and re-tested.

Simpriva's own DPIA, ROPA, privacy notice & DPA

We run our own product on ourselves — and provide a Data Processing Agreement template for your procurement.

DSPT & DTAC awareness for NHS

Not MVP build items — but the architecture keeps them reachable without re-platforming.

⚖️

Decision support, not legal advice

Simpriva's outputs are decision support. The engine suggests routings, risks and evidence; a human DPO or reviewer always decides and can override with a recorded rationale. PECR is handled as an advisory flag-and-review route — this disclaimer appears in both the product UI and generated reports.

Need our security pack for procurement?

We'll share residency, isolation and assurance documentation on request.

Request the security pack