Trust & Security

Compliance earns trust. So does building it in public.

PICMS protects customer data with UK data residency, AES-256 encryption, and aligned ISO 27001 controls. We use our own platform to manage our ISMS — and we're publishing the journey.

Where We Are Today (April 2026)

PICMS is aligned with ISO 27001 and Cyber Essentials controls. We are currently using our own platform to manage our ISMS, and are targeting formal Cyber Essentials certification within 8 weeks and ISO 27001 certification in 2026. Follow the journey on our blog — including the mistakes we make along the way.

Security Pillars

How we keep your compliance data safe.

UK Data Residency

All customer data lives in AWS eu-west-2 (London). Postgres, S3 objects, Supabase vectors — everything. No data leaves the UK without your explicit consent.

Encryption Everywhere

At rest: AES-256 (AWS RDS & S3 server-side encryption).
In transit: TLS 1.2+ on every connection.
Application secrets encrypted with AES-256-GCM, keyed to the platform.

Authentication & SSO

Auth0-backed identity. Supports SSO, MFA (enforced for admin users), and OIDC. Session tokens scoped to organisation with RBAC — consultants, admins, staff, auditors, viewers.

Multi-Tenant Isolation

Every query scoped to organization_id. Row-level isolation in Postgres. Cross-tenant data access is architecturally impossible — not just policy.

GDPR-Compliant

DSAR workflow, right-to-erasure tooling, audit log of every data access. DPA available on request. We are registered with the ICO (UK Data Protection).

Audit Trail

Every create, update, and delete logged with user identity, timestamp, and diff. Immutable activity timeline. Exportable for external auditors.

Backup & Recovery

Automated RDS snapshots every 24h with 30-day retention. Point-in-time recovery to any second in the last 7 days. Tested monthly via restore drill.

Vulnerability Management

Dependabot scans every push. Automatic dependency patching. Penetration test planned pre-ISO 27001 certification (Q3 2026). Responsible disclosure: security@picms.com.

Compliance Status

Radical transparency: where we are, where we're going.

Cyber EssentialsUK government-backed security certification
In Progress — Q2 2026
ISO 27001:2022 (Information Security)Managed using PICMS's own platform
Aligned — Certification Q4 2026
UK GDPR & DPA 2018ICO registered, DSAR process live
Compliant
ISO 9001 (Quality)Our QMS is managed in PICMS
Aligned — Certification 2026
SOC 2 Type IIFor US enterprise buyers
Planned 2027

Infrastructure

The stack that runs your compliance.

HostingAWS ECS Fargate, Application Load Balancer
eu-west-2 (London)
DatabaseEncrypted at rest, encrypted in transit
PostgreSQL 15 (AWS RDS)
Object StorageBucket policy: private; signed URLs for access
AWS S3 (eu-west-2)
Identity ProviderMFA enforced for admin; SSO available
Auth0
AI ProvidersData sent only when user triggers a feature
Anthropic Claude (EU inference)
Transactional EmailDKIM, SPF, DMARC configured
Resend
PaymentsCard data never touches PICMS servers
Stripe (PCI DSS Level 1)

Questions about our security posture?

We're happy to share our penetration test reports, DPA template, and responsible disclosure policy. Email the team directly.

security@picms.com Start Free Trial