IT Security and Compliance
Check out our *new* guides! What is social value? and Guiding principles to follow in social value
Check out our *new* guides! What is social value? and Guiding principles to follow in social value
IT security and compliance
At Impact Reporting, safeguarding your data is more than a technical necessity – it’s a responsibility we take seriously. As a trusted partner for public sector organisations and ESG-led businesses, we operate to the highest standards of security, privacy and resilience.
From secure cloud infrastructure to certified controls and transparent governance, our platform is designed to give you confidence at every level.
All client data is securely stored in AWS data centres located in the UK, ensuring full compliance with UK data protection laws.
All data in transit and at rest is encrypted using industry-standard protocols.
Security is embedded into every stage of our software development process, including peer reviews, vulnerability scanning, and rigorous UAT.
Only authorised team members can access sensitive information, and all access is regularly reviewed and audited.
We undergo annual penetration testing and hold Cyber Essentials and Cyber Essentials Plus certifications (valid through December 2025).
We’ve built our platform with security at its core. Here’s how we protect your data:
We are fully compliant with:
UK GDPR
The Data Protection Act 2018
The Privacy and Electronic Communications Regulations (PECR)
We also align our internal policies to recognised standards including ISO 27001, OWASP, and NCSC guidance.
We’ve planned for the unexpected — so your data stays secure, even when challenges arise:
Business Continuity Plan
Documented, tested, and regularly reviewed to ensure continuity in the event of disruption.
Daily encrypted backups
Stored in secure UK locations and tested weekly for recoverability.
Breach response protocol
Should an incident occur, we act quickly to contain, assess and notify relevant parties within 72 hours.
We use generative AI tools responsibly to improve platform functionality and summarisation. Where AI is embedded into the platform, it is clearly labelled and only uses data from publicly available sources.
We do not use client data to train AI models.
All AI usage is governed by our internal Generative AI Usage Policy, which ensures ethical and secure implementation.
Single Sign-On (SSO) available for enterprise clients
Multi-Factor Authentication (MFA) available and encouraged
Strong password policies and account lockouts enforced
Full data export capabilities — your data remains yours at all times
We regularly complete security assessments and procurement reviews for public sector clients, including:
Cyber Essentials & Cyber Essentials Plus
Third-party penetration testing (annual)
CAIQ assessments and council due diligence (e.g. Camden)
Impact Reporting is a cloud-based SaaS platform that helps organisations capture, monitor, and report their social and environmental impact. Our solution is designed for businesses working with public sector contracts, ESG reporting, and social value delivery.
Yes. We implement industry-standard security controls, including end-to-end encryption, secure development practices, vulnerability testing, and strict access management. All data is hosted in the UK using AWS infrastructure, and our IT Security Policy is aligned with GDPR and UK legislation.
Yes. We carry out both network and application-level penetration testing annually using independent third-party security experts.
Security is embedded throughout our Software Development Life Cycle (SDLC). This includes secure coding practices, peer reviews, automated vulnerability scanning, and rigorous internal User Acceptance Testing (UAT) processes.
We take data security extremely seriously. Impact is fully cloud-based and is hosted on a private AWS EU-West-2 network based in London, UK, ringfenced from the public internet with strict access controls.
The software itself has been built from the ground up with OWASP recommendations in mind and is regularly assessed for compliance by Sec-1. In addition:
Absolutely. We are fully compliant with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. Our Data Protection Officer oversees all data governance processes.
All third-party software providers must meet or exceed our internal security standards. Vendors are assessed regularly to ensure ongoing compliance.
We have a clearly defined breach response policy. If a breach occurs, we assess, contain and, where necessary, notify both the ICO and any affected clients within 72 hours. All breaches are documented and reviewed to prevent recurrence.
Yes. You have full ownership of your data. All content within the platform can be exported at any time in accessible formats like Excel or CSV.
Yes. Our Business Continuity and Disaster Recovery Plans are documented, tested, and regularly reviewed. They outline key responsibilities, recovery procedures, and communication plans in the event of an incident.
Yes. Daily encrypted backups are stored in UK-based AWS servers and retained for 30 days. These are tested weekly to ensure recoverability and reliability.
We use the Scrum framework to release regular updates that include new features, performance enhancements, and security patches. Updates are tested thoroughly, and release notes are shared with users.
Yes. We use generative AI tools (such as ChatGPT and Microsoft Copilot) to support internal development of the platform, reporting assistance, and summarisation tasks. Usage is strictly governed by our Generative AI Usage Policy to ensure data privacy and ethical compliance. Where we do use AI in the platform this is clearly labelled and is used only to access, disseminate and present information from publicly-available sources.
No. We never input personal or confidential data into AI prompts. All tools used are configured to prevent training on client content, ensuring data remains private and secure.
Only authorised team members with a genuine business need can access client data. Access is reviewed regularly and revoked immediately when no longer required.
We enforce a strong password policy, two-factor authentication, and automatic account lockouts after failed login attempts. User access is tightly controlled and audited.
Yes. Single Sign-On (SSO) is available for enterprise clients who require integrated authentication across platforms.
Yes. Multi-Factor Authentication (MFA) is available and strongly encouraged to add an additional layer of protection to user accounts.
While we are not currently ISO 27001 certified, our internal policies and security framework align closely with its principles. This includes rigorous access controls, secure development practices, incident response procedures, and regular security reviews.
Yes. We are certified under both:
These certifications confirm that our organisation meets UK government-backed security standards and is protected against a wide range of common cyber threats.
Yes. Our approach is aligned with:
We also regularly complete external security and due diligence assessments as part of procurement for public sector and enterprise clients.
Yes. In addition to Cyber Essentials and Cyber Essentials Plus certification, we undergo annual penetration testing and complete third-party assessments such as CAIQ and custom council questionnaires (e.g. Camden), covering software security, disaster recovery, data management and more.
Yes. Our DPO is Ed Cox. He oversees compliance with all data protection legislation and is the contact point for any privacy-related enquiries. You can reach him at ed.cox@impactreporting.co.uk.
Sign up for The Social Value Tea and be the first to get access to our content, news and upcoming events.