Security
Security by design, not afterthought
- TLS 1.2+ enforced on all service endpoints
- AES-256 encryption for sensitive data at rest
Systems that hold up when your procurement team asks the hard questions.
Enterprise procurement questionnaires are thorough for good reason. We understand what they are looking for and build to those standards — so your deal does not stall because of a security review.
How we approach it
ISO 27001-aligned practices
Our development practices align with ISO 27001 principles: documented policies for access control, change management, incident response, and supplier management. We can map our practices to ISO 27001 controls on request to support your certification or due diligence process.
GDPR and UK GDPR readiness
For systems that handle personal data, we implement privacy by design: lawful basis documentation, data subject rights support (access, deletion, portability), purpose limitation, and breach notification procedures. We are not lawyers — but we build in the technical controls that support compliance.
SOC 2 readiness support
If you are pursuing SOC 2 certification, we build the controls that auditors look for: logical access management, change management, availability monitoring, and incident logging. We document these controls so your auditor can verify them.
Enterprise procurement questionnaire support
We have worked through enough enterprise procurement processes to understand what security questionnaires ask. We can complete security questionnaires, provide architecture diagrams, and support technical due diligence calls as part of your sales cycle.
Incident response procedures
Every production system we ship includes a documented incident response procedure: how incidents are detected, classified, escalated, communicated, and resolved. We define who owns each step and what the SLAs are.
Change management and deployment controls
All production changes go through a documented process: code review, automated testing, staged deployment, and rollback capability. We can provide evidence of this process for audits and questionnaires.
Questions
Common questions about compliance readiness.
Yes. We complete enterprise security questionnaires as part of our standard engagement. We have worked through questionnaires for procurement processes at large financial services, healthcare, and public sector organisations. If your questionnaire has specific technical requirements, raise them early so we can confirm our approach.
BuildToSolve is not currently ISO 27001 or SOC 2 certified as a business. However, we build systems aligned with those frameworks and can document the controls in place. If you require certified suppliers, that is something to raise at the outset — in many cases, the system we deliver can sit behind your own certified infrastructure.
We implement the technical controls that support GDPR compliance: lawful basis documentation, data minimisation, purpose limitation, retention schedules, and data subject rights workflows (access, deletion, portability). We work with your legal or DPO team to ensure the technical implementation matches your compliance obligations.
Every delivery includes a handover pack covering system architecture, data flow diagrams, access control documentation, third-party subprocessor list, retention policies, incident response procedure, and change management process. This is designed to give your security and compliance teams everything they need.
Other trust pillars
AI Governance
AI you can explain and control
- All prompt templates version-controlled and reviewed
- Output validation layer before any downstream action
Data Handling
Your data stays yours
- Data minimisation reviewed at design stage
- Retention periods defined per data category