Skip to content
/ security
SECURITY & TRUST

Built for procurement teams as well as engineers.

Per-tenant tokens. GDAP-only. UK & EU data residency. The architecture is the security story. Not a compliance bolt-on.

THE PILLARS

Architecture first. Compliance follows.

Each pillar below is what we'd take to a procurement review on day one.

Architecture

  • Per-tenant Graph tokens, never shared between customers
  • GDAP-only. We never use delegated admin
  • Partner Center as the source of truth for tenant access
  • UK / EU data residency, with regional isolation

Data protection

  • Encrypted at rest with customer-managed keys (optional)
  • Encrypted in transit (TLS 1.3, HSTS preload)
  • No marketing analytics. No tracking. No cookies on this site.
  • DPA on every contract

Access control

  • SSO required for all customer accounts (Entra ID, Okta)
  • Mandatory MFA, no exceptions
  • Just-in-time admin access for our engineers
  • Every action logged, attributed, and exportable

Compliance posture

  • Cyber Essentials Certified
  • GDPR-aligned (UK & EU)
  • Microsoft Solutions Partner
  • Security pack on request. See below

Vulnerability management

  • Dependabot + Snyk in CI, blocking on critical CVEs
  • Quarterly external pen tests, summarised in the security pack
  • Bug bounty in place; report via security@northerntechhub.com

Responsible disclosure

  • PGP key published
  • 48h initial response SLA
  • We credit researchers in the changelog (with permission)
SECURITY REPORT

Want the live procurement-grade report?

The full Aikido report covers code, dependencies, container, infrastructure, and cloud. Live findings, severity-scored, with proof. We share it on demand.

Security report front cover

Procurement on the line?

We'll join the call. Bring your auditor.