v3.0

Now with AI-powered compliance, 37 modules, and industry starter packs from just £59/month.

See What's New →
Trust & Security

Compliance earns trust. So does building it in public.

PICMS protects customer data with UK data residency, AES-256 encryption, and aligned ISO 27001 controls. We use our own platform to manage our ISMS — and we're publishing the journey.

Where We Are Today (April 2026)

PICMS is aligned with ISO 27001 and Cyber Essentials controls. We are currently using our own platform to manage our ISMS, and are targeting formal Cyber Essentials certification within 8 weeks and ISO 27001 certification in 2026. Follow the journey on our blog — including the mistakes we make along the way.

Security Pillars

How we keep your compliance data safe.

UK Data Residency

All customer data lives in AWS eu-west-2 (London). Postgres, S3 objects, Supabase vectors — everything. No data leaves the UK without your explicit consent.

Encryption Everywhere

At rest: AES-256 (AWS RDS & S3 server-side encryption).
In transit: TLS 1.2+ on every connection.
Application secrets encrypted with AES-256-GCM, keyed to the platform.

Authentication & SSO

Auth0-backed identity. Supports SSO, MFA (enforced for admin users), and OIDC. Session tokens scoped to organisation with RBAC — consultants, admins, staff, auditors, viewers.

Multi-Tenant Isolation

Every query scoped to organization_id. Row-level isolation in Postgres. Cross-tenant data access is architecturally impossible — not just policy.

GDPR-Compliant

DSAR workflow, right-to-erasure tooling, audit log of every data access. DPA available on request. We are registered with the ICO (UK Data Protection).

Audit Trail

Every create, update, and delete logged with user identity, timestamp, and diff. Immutable activity timeline. Exportable for external auditors.

Backup & Recovery

Automated RDS snapshots every 24h with 30-day retention. Point-in-time recovery to any second in the last 7 days. Tested monthly via restore drill.

Vulnerability Management

Dependabot scans every push. Automatic dependency patching. Penetration test planned pre-ISO 27001 certification (Q3 2026). Responsible disclosure: security@picms.com.

Compliance Status

Radical transparency: where we are, where we're going.

Cyber EssentialsUK government-backed security certification
In Progress — Q2 2026
ISO 27001:2022 (Information Security)Managed using PICMS's own platform
Aligned — Certification Q4 2026
UK GDPR & DPA 2018ICO registered, DSAR process live
Compliant
ISO 9001 (Quality)Our QMS is managed in PICMS
Aligned — Certification 2026
SOC 2 Type IIFor US enterprise buyers
Planned 2027

Infrastructure

The stack that runs your compliance.

HostingAWS ECS Fargate, Application Load Balancer
eu-west-2 (London)
DatabaseEncrypted at rest, encrypted in transit
PostgreSQL 15 (AWS RDS)
Object StorageBucket policy: private; signed URLs for access
AWS S3 (eu-west-2)
Identity ProviderMFA enforced for admin; SSO available
Auth0
AI ProvidersData sent only when user triggers a feature
Anthropic Claude (EU inference)
Transactional EmailDKIM, SPF, DMARC configured
Resend
PaymentsCard data never touches PICMS servers
Stripe (PCI DSS Level 1)

Quantum Readiness

Today's cryptography won't survive the quantum era. For a compliance platform holding audit evidence, signed sign-offs, and consultant IP with 5+ year retention, that matters now — an adversary can harvest encrypted data today and decrypt it later. We've already done the work to be ready.

Cryptographic Bill of Materials

Every cryptographic primitive in PICMS is inventoried and classified by quantum vulnerability. Zero RSA, ECC, or ECDSA in application code — our Shor's-algorithm exposure is zero.

Crypto-Agile by Design

Every cryptographic call routes through a single wrapper. Adopting NIST's post-quantum standards (ML-KEM, ML-DSA) becomes a one-file change — not a platform rewrite.

HMAC Integrity on Exports

Weekly portable data exports (agent memory, training, fleet learnings) carry HMAC-SHA-256 signatures + plaintext SHA-256 fingerprints in sidecar files. Tamper-evident, verifiable, versioned scheme.

Harvest-Now-Decrypt-Later Shrink

Machine-enforced retention on long-lived data. Daily cron shrinks the hot surface area that could ever be harvested, with an auditor-friendly retention log.

Standards alignment

ISO/IEC 27001:2022

Annex A 8.24 — Use of cryptography

ISO/IEC 42001:2023

A.6.2.8 + A.8.3 — AI resource & data management

NIST FIPS 203 / 204

ML-KEM / ML-DSA adoption path

UK NCSC guidance

Harvest-Now-Decrypt-Later mitigation

Full quantum readiness report available to customers and auditors on request: security@picms.com

Questions about our security posture?

We're happy to share our penetration test reports, DPA template, and responsible disclosure policy. Email the team directly.

security@picms.com Start Free Trial