Security, compliance and the answers RFPs always ask
This page is the canonical place to see how Vitalytics handles your data, what we're certified against today, what we're working towards, and which sub-processors touch your information. Procurement teams should be able to lift this straight into a vendor questionnaire.
Last reviewed: 2026-04-25 · Next review: 2026-07-25
Certifications & frameworks
Roadmap:
· FCA SYSC & SMCR-aligned evidence pack (controls inventory, access reviews, SUP 15-ready incident template, MNPI segregation matrix) — Q3 2026.
· NHS Data Security and Protection Toolkit submission — Q3 2026.
· ICO data-controller registration — pending (target May 2026).
· SOC 2 Type 1 readiness assessment — Q4 2026.
ISMS scope
The Vitalytics Information Security Management System covers all client-facing managed-IT services delivered from our UK and EU operations, including:
- Endpoint, identity, email and network management;
- Cloud infrastructure on Microsoft Azure and the Vitalytics private OpenStack cloud (UK, EC1);
- Service desk and incident response, on-call and out-of-hours;
- Backup, BCDR and immutable storage operations.
Out of scope: the public Vitalytics website (this site), the Cloudflare DNS zone for vitalytics.co.uk, and any client-controlled SaaS the client has not asked us to administer.
Sub-processors
The following processors handle client data on our behalf. We provide 30 days' notice of any addition via this page and to named compliance contacts.
| Sub-processor | Purpose | Data location | Agreement |
|---|---|---|---|
| Microsoft (Azure, M365) | Tenancy hosting, identity, mail when client elects M365 | UK South / West Europe | Microsoft DPA |
| Cloudflare | DNS, WAF, Turnstile, image delivery | Global edge, EU termination | Cloudflare DPA |
| GitLab (self-hosted) | Source control for client config & runbooks | UK (Vitalytics London) | Internal — not a 3rd-party processor |
| Google (Workspace) | Internal email for Vitalytics staff (no client data routed) | UK / EU | Google Workspace DPA |
Encryption
- In transit: TLS 1.2 minimum, TLS 1.3 preferred. HSTS preload on this domain. mTLS between internal services.
- At rest: AES-256 on all managed storage (Cinder NVMe, NFS, Azure Storage), customer-managed keys available for ISO-27001-scope clients on request.
- Key management: Vitalytics-operated HashiCorp Vault (OpenBao) with sealed root, daily key rotation logged.
Identity & access
- SSO via Authentik (OIDC + SAML) for all internal tools, with WebAuthn / passkeys enforced for staff with elevated access.
- JIT elevation for engineers; standing admin rights only for break-glass accounts (audited monthly).
- Quarterly access reviews; terminations propagated within 4 working hours of HR notice.
Business continuity & disaster recovery
| Scenario | RTO | RPO | Last tested |
|---|---|---|---|
| Single VM loss | 15 min | 0 (live replica) | 2026-03-12 |
| Single hypervisor loss | 30 min | 15 min | 2026-02-19 |
| Storage shelf loss | 4 hours | 1 hour | 2026-01-22 |
| Site loss (London EC1) | 24 hours | 4 hours | Q3 2026 (planned) |
Off-site backup target: Backblaze B2 (UK) — rolling out Q2 2026. Until then, backups are held on a second physical site within EC1.
Incident response
- Severity P1 (service down or confirmed breach): 15-min initial response, 1-hour status update cadence, postmortem within 5 working days.
- Severity P2 (significant degradation): 1-hour response, 4-hour update cadence.
- Severity P3 (minor or single-user): next business day.
- Customer notification of any incident affecting their data within 24 hours of confirmation, regardless of severity.
Live status page: vitalytics.co.uk/status. Subscribe via the RSS link there for incident notifications.
Vulnerability management
- Patching: critical CVEs within 72 hours, high within 7 days, medium within 30 days.
- Penetration testing: annual external test (next: October 2026); internal architecture review every 6 months.
- Coordinated disclosure: security@vitalytics.co.uk · /.well-known/security.txt (publishing soon).
Documents available under NDA
- Data Processing Addendum (UK GDPR + standard contractual clauses).
- ISMS scope statement & document register.
- Information Security Policy.
- BCDR plan with last-test evidence.
- Sub-processor list (this page's contents in PDF form).
- SOC 2 readiness gap assessment (once complete).
Email security@vitalytics.co.uk for a copy.
Compliance mappings
How our controls map to the frameworks your auditor will know:
| Vitalytics control | NIST CSF v2 | Cyber Essentials Plus |
|---|---|---|
| SSO + MFA enforcement | PR.AA-01, PR.AA-03 | Boundary firewalls + secure config |
| Patch SLAs | PR.PS-01 | Security update management |
| BCDR with documented RPO/RTO | RC.RP, RC.IM | n/a |
| Encryption at rest + in transit | PR.DS-01, PR.DS-02 | Secure data handling |
| Vulnerability management | ID.RA-01, PR.PS-02 | Security update management |
Questions about our security posture?
Email security@vitalytics.co.uk. We respond within one UK working day.