Real-time AI usage tracking for consultants, polished white-label dashboards, IP audit close-out across 36 findings.
See What's New →PICMS protects customer data with UK data residency, AES-256 encryption, and aligned ISO 27001 controls. We use our own platform to manage our ISMS — and we're publishing the journey.
How we keep your compliance data safe.
All customer data lives in AWS eu-west-2 (London). Postgres, S3 objects, Supabase vectors — everything. No data leaves the UK without your explicit consent.
At rest: AES-256 (AWS RDS & S3 server-side encryption).
In transit: TLS 1.2+ on every connection.
Application secrets encrypted with AES-256-GCM, keyed to the platform.
Auth0-backed identity. Supports SSO, MFA (enforced for admin users), and OIDC. Session tokens scoped to organisation with RBAC — consultants, admins, staff, auditors, viewers.
Every query scoped to organization_id. Row-level isolation in Postgres. Cross-tenant data access is architecturally impossible — not just policy.
DSAR workflow, right-to-erasure tooling, audit log of every data access. DPA available on request. We are registered with the ICO (UK Data Protection).
Every create, update, and delete logged with user identity, timestamp, and diff. Immutable activity timeline. Exportable for external auditors.
Automated RDS snapshots every 24h with 30-day retention. Point-in-time recovery to any second in the last 7 days. Tested monthly via restore drill.
Dependabot scans every push. Automatic dependency patching. Penetration test planned pre-ISO 27001 certification (Q3 2026). Responsible disclosure: security@picms.com.
Radical transparency: where we are, where we're going.
The stack that runs your compliance.
Every third party with access to customer data, what they do, and where the processing happens. Notified 30 days in advance of any addition.
All sub-processors process customer data under signed contractual data-processing terms (UK GDPR Article 28). Data crossing the UK→US border is protected under the UK addendum to the EU Standard Contractual Clauses. The full list is also published in our Privacy Policy §5 and is referenced in our standard Data Processing Agreement.
Adding or changing a sub-processor: we notify you at least 30 days in advance via email to your account contact. If you have a contractual right to object, you may exercise it by contacting privacy@picms.com.
Today's cryptography won't survive the quantum era. For a compliance platform holding audit evidence, signed sign-offs, and consultant IP with 5+ year retention, that matters now — an adversary can harvest encrypted data today and decrypt it later. We've already done the work to be ready.
No asymmetric cryptographic primitives are invoked in PICMS application code. Transport-layer TLS and identity-token verification inherit the AWS and Auth0 cryptographic stacks, which are on their own published PQC roadmaps. Full inventory at picms.com/security/cbom.
Symmetric cryptographic operations route through a single audited wrapper module — the foundation we need to migrate algorithms quickly when NIST post-quantum primitives become available in our runtime.
Weekly portable data exports (agent memory, training, fleet learnings) carry HMAC-SHA-256 signatures + plaintext SHA-256 fingerprints in sidecar files. Tamper-evident, verifiable, versioned scheme.
Machine-enforced retention on long-lived data. Daily cron shrinks the hot surface area that could ever be harvested, with an auditor-friendly retention log.
Annex A 8.24 — Use of cryptography
A.6.2.8 + A.8.3 — AI resource & data management
ML-KEM / ML-DSA adoption path
Harvest-Now-Decrypt-Later mitigation
Public Cryptographic Bill of Materials at picms.com/security/cbom — or email security@picms.com for a signed PDF copy.
We're happy to share our penetration test reports, DPA template, and responsible disclosure policy. Email the team directly.
All customer data is hosted in AWS eu-west-2 (London, United Kingdom). PICMS is a UK company operating UK-only infrastructure. Database storage (RDS PostgreSQL), object storage (S3), AI vector embeddings (Supabase), and search indexes all reside in eu-west-2. No customer data is processed or stored outside the UK without an explicit, customer-approved transfer impact assessment.
All data is encrypted at rest with AES-256 (RDS, S3, document storage, AI embeddings). In transit, TLS 1.2+ enforced across all endpoints. Sensitive admin credentials and integration tokens use AES-256-GCM authenticated encryption with rotated keys. PICMS shipped a Post-Quantum Cryptography sprint in April 2026 introducing crypto-agile architecture, HMAC-signed S3 exports, and a published Cryptographic Bill of Materials.
Not yet — PICMS is in active preparation for ISO 27001 certification, with a target audit window in 2026. We publish our progress transparently on the Trust page rather than claiming a status we don't hold. PICMS already operates the technical and management controls Annex A requires; the formal certification audit is the remaining step. Cyber Essentials certification is also in progress on the same timeline.
PICMS is a data processor under UK GDPR when handling customer-controlled data. We provide a Data Processing Agreement (Article 28 controller-processor terms) on the data-processing page, document our sub-processors transparently, and support standard data subject rights workflows (access, rectification, erasure, restriction, portability). Customer data subject requests can be fulfilled via the data export endpoints; deletion requests are honoured within 30 days. Breach notification to the controller is within 24 hours.