/ security
SECURITY & TRUST
Built for procurement teams as well as engineers.
Per-tenant tokens. GDAP-only. UK & EU data residency. The architecture is the security story. Not a compliance bolt-on.
INDEPENDENTLY VERIFIED
Third parties hold the record. Not us.
THE PILLARS
Architecture first. Compliance follows.
Each pillar below is what we'd take to a procurement review on day one.
Architecture
- Per-tenant Graph tokens, never shared between customers
- GDAP-only. We never use delegated admin
- Partner Center as the source of truth for tenant access
- UK / EU data residency, with regional isolation
Data protection
- Encrypted at rest with customer-managed keys (optional)
- Encrypted in transit (TLS 1.3, HSTS preload)
- No marketing analytics. No tracking. No cookies on this site.
- DPA on every contract
Access control
- SSO required for all customer accounts (Entra ID, Okta)
- Mandatory MFA, no exceptions
- Just-in-time admin access for our engineers
- Every action logged, attributed, and exportable
Compliance posture
- Cyber Essentials Certified
- GDPR-aligned (UK & EU)
- Microsoft Solutions Partner
- Security pack on request. See below
Vulnerability management
- Dependabot + Snyk in CI, blocking on critical CVEs
- Quarterly external pen tests, summarised in the security pack
- Bug bounty in place; report via security@northerntechhub.com
Responsible disclosure
- PGP key published
- 48h initial response SLA
- We credit researchers in the changelog (with permission)
SECURITY REPORT
Want the live procurement-grade report?
The full Aikido report covers code, dependencies, container, infrastructure, and cloud. Live findings, severity-scored, with proof. We share it on demand.
Procurement on the line?
We'll join the call. Bring your auditor.