Security

How do SocialOptic keep my data secure?

Handling your data securely is our top priority. We make significant and continual investments in security, in our technical infrastructure and in our skills and knowledge. SocialOptic is certified to ISO/IEC 27001:2022, the globally recognised standard for information security, and also holds ISO 9001:2015 certification, ensuring our processes are robust and continually improved.

Where is my data stored?

For our UK customers, all data is held within the UK — in Microsoft Azure’s UK regions (UK South and UK West) — across multiple data centres for resilience. Our Enterprise offering provides options for maintaining data within the EU, US, Canada or Australia.

These data centres comply with industry standards including ISO/IEC 27001:2022 and NIST SP 800-53. There is a layered approach to physical security, with access approval at the facility perimeter, the building perimeter, inside the building and on the data-centre floor. Internal movement is controlled by two-factor authentication with biometric controls.

How is my data secured?

Data is encrypted in transit and at rest — secured between users’ browsers and our servers using TLS, and encrypted while stored on our servers. We use a wide range of technical measures including multiple firewall technologies, intrusion prevention and detection, and real-time monitoring and alerting, supported by both manual and automated scanning. SocialOptic implements data marking and classification and role-based access control, so access is restricted to those who need it; data marked as PII receives additional controls. These controls are internally audited and also checked by an external auditor.

How do SocialOptic develop software securely?

Security is built into how we develop our products, following a secure-by-design approach aligned with the NCSC Cloud Security Principles and the NIST Secure Software Development Framework (SSDF, SP 800-218). Every change is peer-reviewed through pull requests on protected branches before release. Our continuous integration pipelines run automated test suites and type checking and gate any build that does not pass. We use automated dependency scanning (software composition analysis) with managed updates, alongside static application security testing (SAST) and secret scanning, so issues are found and fixed early.

Will I be notified if there is a breach?

SocialOptic has a full incident management process. In line with both UK GDPR and EU GDPR, you will receive notification within 72 hours of us becoming aware of a breach, and our internal SLA is to notify within 24 hours wherever possible. We also maintain a published Responsible Vulnerability Disclosure Policy.

Is your service backed up and resilient?

Our services are built for resilience. Customer data is held in the UK with regular backups and multi-site failover — a primary UK data centre, live mirroring to a secondary UK data centre, and a tertiary UK stand-by for disaster recovery. We target a service availability of 99.99%.

Will SocialOptic sign a Data Processing Agreement, and who are your sub-processors?

For the personal data you process using our products, you are the data controller and SocialOptic acts as your data processor. We provide a Data Processing Agreement (DPA) that meets the requirements of UK GDPR Article 28 as part of contracting. Where data is transferred outside the UK for Enterprise customers, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

Our core infrastructure is provided by Microsoft Azure in the UK. We maintain a current list of the sub-processors we use to deliver our services — with each one’s purpose and location — and we notify customers of changes. You can request our DPA and sub-processor list via the SocialOptic Trust Hub.

Do SocialOptic’s products make me GDPR compliant?

No product can make you GDPR compliant, as compliance is a process, not a purchase. However, our products provide the tools you need to meet the requirements of GDPR (both UK GDPR and EU GDPR). That includes responding to data subject access requests, the right to erasure, and records of processing. This greatly reduces the effort of becoming, and remaining, compliant. More than that, we include the features you will need to meet the requirements of standards including ISO 27001, SOC2, CyberEssentials plus, NCSC and NIST frameworks and standards.

Security certifications

SocialOptic holds a Whole Organisation Cyber Essentials Plus certification and publishes a CAF-aligned NHS Data Security and Protection Toolkit assessment (Organisation ID Z7I7E) that consistently rates “Standards Exceeded” against the UK National Data Guardian’s 10 data security standards. This means our security is externally tested and audited. SocialOptic is registered with the ICO in the UK — ZA092349.

Is SocialOptic suitable for UK government, NHS and public-sector use?

Yes. Our products are designed and operated in line with the NCSC Cloud Security Principles and are suitable for information classified at OFFICIAL (including OFFICIAL-SENSITIVE handling). Our security framework is aligned with the NCSC Cyber Assessment Framework (CAF): we maintain a CAF supplier security assessment on Risk Ledger, and our CAF-aligned NHS DSPT, ISO/IEC 27001:2022 and Cyber Essentials Plus certifications underpin that alignment. We can provide a mapping of our controls to the CAF objectives — including A4 (Supply Chain) — to support your own GovAssure or local-government CAF assessment.

Is your service accessible?

Accessibility is built in: our product interfaces are designed and tested to meet the Web Content Accessibility Guidelines (WCAG) 2.2 at Level AA, the standard required of UK public-sector services.

Trust Hub

If you would like specific details of our certifications, you can request these via the SocialOptic Trust Hub.

If you are an Enterprise user of Risk Ledger, you can connect to our risk assessment.

Last reviewed: June 2026.