Security and compliance documentation for due diligence.
Procurement authorities and enterprise buyers require robust security and compliance credentials before agreeing to a pilot or purchase. This page provides the information your IT, legal and procurement teams need.
For additional documentation — penetration test reports, data processing agreements, security questionnaire responses — contact us directly.
Request security documentationCyber Essentials Plus
In progress
ISO 27001
Roadmap 2025
GDPR Compliant
Fully compliant
UK Data Residency
All data UK-based
Platform security
Architecture and data protection
Data residency
All data stored on UK-based servers
No data transferred outside the UK or EEA
Data centre locations: London and Manchester
Redundant storage with automatic failover
Encryption
All data encrypted at rest (AES-256)
All data encrypted in transit (TLS 1.3)
Evaluation scores and tender documents encrypted at row level
Supplier submission data isolated per procurement
Access control
Role-based access control throughout
Multi-factor authentication available
Session management with automatic timeout
Full user activity logging per organisation
Infrastructure
Hosted on enterprise-grade cloud infrastructure
99.9% uptime SLA
Automated daily backups with 30-day retention
Disaster recovery with 4-hour RTO
Penetration testing
Annual penetration testing by qualified third party
Most recent test: available on request
Critical findings: zero in last assessment
Vulnerability disclosure policy in place
Incident response
Documented incident response procedure
72-hour breach notification (GDPR compliant)
Designated Data Protection contact
ICO registration confirmed
Procurement Act 2023 compliance
How HostAContract addresses every PA23 obligation
Every requirement listed below is built into the workflow — not a manual checklist.
Pipeline Notices (contracts over £2M)
Automated — system prompts at correct threshold, generates and publishes to FTS
Tender Notice publication on Find a Tender
Automated — published simultaneously with portal release, no manual FTS submission
Contracts Finder publication
Automated — all above-threshold contracts published automatically
Competitive Flexible Procedure
Supported — configurable multi-stage workflows with negotiation and presentation stages
Transparency Notices (modifications, terminations)
Prompted — system flags when a transparency notice is required and generates draft
Award Notice within 30 days
Automated — draft generated on award decision, published after standstill
Standstill period (8 working days)
Automated — clock started, all suppliers notified, contract execution blocked until expiry
Debrief letters to unsuccessful suppliers
Generated — templated debrief letters with score breakdown, sent automatically
Social value in selection criteria
Built in — configurable social value weighting in evaluation, delivery tracking post-award
Conflict of interest declarations
Built in — evaluators declare conflicts before accessing submissions
Procurement monitoring obligations
Dashboard — portfolio view with status, deadlines and compliance flags
Document retention (7 years)
Automated — all records retained with immutable audit trail, exportable on request
GDPR & data processing
Data protection by design
Lawful basis
All personal data processing is conducted on a lawful basis under UK GDPR. Processing activities are documented in our Record of Processing Activities (ROPA). Available on request.
Data subject rights
We support all data subject rights: access, rectification, erasure, restriction, portability and objection. Requests are responded to within 30 days. Contact info@esourcingdata.com.
Data processors
All sub-processors are documented, EU/UK adequacy decision covered, and subject to data processing agreements. Processor list available on request.
Breach notification
We have documented procedures to detect, report and investigate breaches. ICO notification within 72 hours where required. Affected individuals notified without undue delay.
Need documentation for your IT or legal team?
We provide security questionnaire responses, data processing agreements, penetration test summaries and architecture documentation on request.
Request documentation