Frequently Asked Questions

Yes. Our DPO is Ed Cox. He oversees compliance with all data protection legislation and is the contact point for any privacy-related enquiries. You can reach him at ed.cox@impactreporting.co.uk. 

Yes. In addition to Cyber Essentials and Cyber Essentials Plus certification, we undergo annual penetration testing and complete third-party assessments such as CAIQ and custom council questionnaires (e.g. Camden), covering software security, disaster recovery, data management and more. 

Yes. Our approach is aligned with: 

• ISO 27001 principles 

• NCSC Cyber Essentials scheme 

• OWASP guidance for secure application development 

• UK GDPR and PECR compliance 

We also regularly complete external security and due diligence assessments as part of procurement for public sector and enterprise clients. 

Yes. We are certified under both: 

• Cyber Essentials (valid through December 2025) 

• Cyber Essentials Plus (valid through December 2025) 

These certifications confirm that our organisation meets UK government-backed security standards and is protected against a wide range of common cyber threats. 

While we are not currently ISO 27001 certified, our internal policies and security framework align closely with its principles. This includes rigorous access controls, secure development practices, incident response procedures, and regular security reviews. 

Only authorised team members with a genuine business need can access client data. Access is reviewed regularly and revoked immediately when no longer required.

Yes. Multi-Factor Authentication (MFA) is available and strongly encouraged to add an additional layer of protection to user accounts. 

Yes. Single Sign-On (SSO) is available for enterprise clients who require integrated authentication across platforms. 

We enforce a strong password policy, two-factor authentication, and automatic account lockouts after failed login attempts. User access is tightly controlled and audited. 

No. We never input personal or confidential data into AI prompts. All tools used are configured to prevent training on client content, ensuring data remains private and secure. 

Yes. We use generative AI tools (such as ChatGPT and Microsoft Copilot) to support internal development of the platform, reporting assistance, and summarisation tasks. Usage is strictly governed by our Generative AI Usage Policy to ensure data privacy and ethical compliance. Where we do use AI in the platform this is clearly labelled and is used only to access, disseminate and present information from publicly-available sources. 

We use the Scrum framework to release regular updates that include new features, performance enhancements, and security patches. Updates are tested thoroughly, and release notes are shared with users. 

Yes. Daily encrypted backups are stored in UK-based AWS servers and retained for 30 days. These are tested weekly to ensure recoverability and reliability. 

Yes. Our Business Continuity and Disaster Recovery Plans are documented, tested, and regularly reviewed. They outline key responsibilities, recovery procedures, and communication plans in the event of an incident. 

Yes. You have full ownership of your data. All content within the platform can be exported at any time in accessible formats like Excel or CSV. 

We have a clearly defined breach response policy. If a breach occurs, we assess, contain and, where necessary, notify both the ICO and any affected clients within 72 hours. All breaches are documented and reviewed to prevent recurrence. 

Absolutely. We are fully compliant with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. Our Data Protection Officer oversees all data governance processes. 

All third-party software providers must meet or exceed our internal security standards. Vendors are assessed regularly to ensure ongoing compliance. 

Security is embedded throughout our Software Development Life Cycle (SDLC). This includes secure coding practices, peer reviews, automated vulnerability scanning, and rigorous internal User Acceptance Testing (UAT) processes. 

Yes. We carry out both network and application-level penetration testing annually using independent third-party security experts. 

Yes. We implement industry-standard security controls, including end-to-end encryption, secure development practices, vulnerability testing, and strict access management. All data is hosted in the UK using AWS infrastructure, and our IT Security Policy is aligned with GDPR and UK legislation. 

Impact Reporting is a cloud-based SaaS platform that helps organisations capture, monitor, and report their social and environmental impact. Our solution is designed for businesses working with public sector contracts, ESG reporting, and social value delivery. 

To be quite simple, it’s best impact practice. Using surveys in your social value reports lets you see the human stories behind your initiatives, not just the metrics.

Nope! We want to delight our customers and make it easy for you to scale your business, so we don’t charge additional for storage. In fact, we encourage you to store as much data in Impact so you always see the system as your single source of truth.

We take data security extremely seriously. Impact is fully cloud-based and is hosted on a private AWS EU-West-2 network based in London, UK, ringfenced from the public internet with strict access controls.

The software itself has been built from the ground up with OWASP recommendations in mind and is regularly assessed for compliance by Sec-1. In addition:

• ISO 27001 Compliant & HIPAA Eligible Infrastructure
• Cyber Essentials and Cyber Essentials Plus Certification (renewed annually, current until 13/12/2025)
• ICO Certified – DPA Officer
• WCG 2.1 Certified Level A & AA.
• Qualys A HTTPS enforcement terminating on load balances in private containers with Impact’s Core not accessible via public internet

In short, no, there are no hidden charges, overage or setup fees on any of our packages. We do, however, offer additional consultancy services if you need any advice or assistance that goes beyond any services provided within your package.

The majority of our customers commit to bi/annual billing since we’ve found this gives you enough time to see a noticeable difference within all areas of your organisation.

Impact can be easily configured to utilise any sustainability and social value frameworks in a matter of minutes. In addition, our own resource, MeasureUp is already pre-populated within our software. Please note: some proprietary, sector-specific frameworks may require you to obtain a licence first to use their measures and conversions.

Impact Reporting’s tender module can be used globally and is easily aligned to support local authorities and councils across England, Wales and Northern Ireland.

We’re here to support you at every stage, be it understanding social value, figuring out where to start, or perfecting your existing practices. Our platform simplifies the journey, plus we offer tailored support, consulting, and guidance to help amplify your impact.

It’s essential you clearly outline how you plan to deliver your social value commitments year by year within the contract term. This approach allows the tendering organisation to monitor and ensure that these commitments are being met consistently throughout the contract duration. Requesting evidence of delivery helps maintain accountability and ensures that the promised social value is realised, benefiting the community as intended.

PPN 06/20 mandates that central government departments must evaluate social value with a minimum overall weighting of 10% when assessing bids. While this percentage sets a standard, you must understand that simply increasing the weighting doesn’t automatically enhance the social value you deliver. Therefore, it’s vital to find a balanced approach in setting these weightings to ensure meaningful social value outcomes.

Social Value accounts for the net societal effect of your business activities. It plays a critical role in the built environment sector by promoting sustainable development, boosting employee morale, enhancing brand reputation, and fulfilling regulatory requirements. At Impact Reporting, we believe in harnessing the power of business to drive social and environmental good.

Our cloud-based social value and sustainability measurement platform will streamline your data collection and consolidation, helping you demonstrate your social value effectively. We transform complex data into easily understandable metrics and guide you toward impactful initiatives that can be a game-changer in your procurement bids.

Examples of social value can range from creating jobs for local communities, reducing carbon footprint, promoting diversity and inclusion, supporting local businesses, and addressing societal issues such as homelessness. 

The best way to showcase social value is to integrate it into your business model rather than treat it as an add-on. You can use Impact Reporting to gather, manage, and present your social value data compellingly and transparently, aligning it with your business activities.

Government policies such as the Social Value Act and PPN 06/20 have heightened the importance of demonstrating social value in public procurement. Authorities are now required to consider how these services can improve the economic, social, and environmental wellbeing of the area, making it crucial for businesses to incorporate social value in their bids.

The social value weighting within bids and tenders is an integral part of your procurement application where you detail how your organisation’s activities will contribute positively to social, economic, and environmental welfare. It’s not just about being financially attractive anymore; it’s about showcasing your commitment to broader societal benefits.

Yes, in certain situations, buyers can and do award contracts based on the additional social value suppliers provide. This depends on the law, procurement policies, and individual tender requirements.

Companies across all industries, especially in the built environment, FTSE businesses, and investment organisations, can and should incorporate social value outcomes into their procurement practices. This applies whether they are required by law or driven by purpose and commitment to create a social and environmental positive impact.

Yes, several tools and frameworks, like Impact Reporting, can help organisations measure and monitor social value outcomes. These platforms simplify the process by providing a clear and structured approach to capturing, managing, and reporting on your organisation’s social value.

Social value outcomes vary by tender but may include employing local labour, engaging with social enterprises, improving worker conditions, reducing environmental impact, supporting community projects, and providing apprenticeships and work placements, amongst others.

The specific processes may vary depending on your geographical location and local legislation. However, a universally valid principle is aligning your procurement with overarching social, environmental, and economic goals, following responsible business practices and engaging with vendors who share similar values.

You start by understanding what’s important to your organisation, your stakeholders, and the communities you serve. This will guide the areas of social value you might seek. Then, embed this into your procurement documents – specify the desired social value outcomes in the contractual requirements.

Social value as defined through the Public Services (Social Value) Act (2013) refers to the wider benefits to society that can be achieved when purchasing goods, services, or works. When applied to procurement, it’s about achieving maximum value for every pound spent, not just economically but also socially and environmentally. 

According to the UK Government’s Guide to Using the Social Value Model, “the huge power of public money spent through public procurement every year in the UK must support government priorities, to boost growth and productivity, help our communities recover from the COVID-19 pandemic, and tackle climate change. There should be a clear ‘golden thread’ from these priorities to the development of strategies and business cases for programmes and projects, through to procurement specifications and the assessment of quality when awarding contracts.”

No, impact investing and ESG (Environmental, Social, Governance), while they are related to one another, are different concepts. ESG serves as a set of guiding criteria to evaluate risks and operational performance in investment decisions. In contrast, impact investing is when private equity funds are focused on generating specific, beneficial impacts in addition to financial returns.

While impact investing and venture capital can target emerging businesses, impact investing is when investors specifically seek companies with the potential for both financial and non-financial returns. In contrast, traditional venture capital focuses primarily on financial growth and returns.

In private equity, impact is defined by the tangible social or environmental benefits generated by an investment, which are intentional and measurable and contribute to addressing global challenges.

Private equity and venture capital managers are well-placed to drive change in business. By working closely with management and supporting a business with capital, expertise and networks, investors have demonstrated that they can drive improved growth and profitability for companies of every size and stage across a very wide range of sectors and geographies. 

As an influx of funds surges into impact investment, private equity investors who adopt impact management and measurement strategies are more likely to see better success in their financial, social, and environmental outcomes.

Investors choose impact investing to align their portfolios with their values, aiming to contribute to societal and environmental improvements while seeking financial returns. Impact investing can be worth it for investors wishing to achieve financial return and positive impact.

Pros include:

• Contributing to positive social or environmental change
• Tapping into emerging markets and innovations
• Potentially achieving competitive financial returns

Cons involve the potential for higher due diligence costs, lower immediate returns compared to traditional investments, and challenges in measuring impact using traditional frameworks.

Examples of businesses that would be a great investment with social or environmental benefits could include:

• An ethical chocolate start-up dedicated to creating a product entirely free from the slave trade at every stage of the supply chain. 
• A skincare range whose products are in every way sustainable, and have a strategy which surrounds building up the local community. 
• An eye-care clinic that, for every pair of glasses sold, donates a pair of lenses to schools in developing countries with children who need help to see.

In private equity, impact investing targets companies that not only promise financial returns but also demonstrate potential for significant social or environmental impacts. Private equity investors may actively engage with these companies to enhance their impact outcomes alongside financial performance.

The Global Impact Investing Network (GIIN) defines impact investing by four core characteristics: intentionality, investment with return expectations, range of return expectations and asset classes, and impact measurement. These characteristics ensure that investments intentionally contribute to measurable social or environmental outcomes alongside financial returns.

Not to be confused with charity or social enterprises, “impact investing” directs capital to enterprises that generate social or environmental benefits as well as a financial return.

The “Social” component of ESG focuses on the company’s relationships and its reputation within society. It evaluates how a company manages relationships with employees, suppliers, customers, and communities. Here are key social metrics often considered within the ESG framework:

• Employee engagement and diversity: This includes assessing workforce diversity, inclusion policies, employee engagement, and satisfaction levels. Companies with strong diversity and positive workplace cultures are seen as more sustainable and socially responsible.
• Human rights and labour standards: This involves ensuring that the company and its supply chains respect human rights and labour standards, including child labour, forced labour, fair wages, and workers’ rights.
• Community relations: Evaluating how a company interacts with the communities in which it operates, including community engagement, investment, and development programs, and whether the company engages in charitable giving and volunteering.
• Customer Satisfaction: This considers how the company treats its customers, the quality and safety of its products, and its data protection and privacy policies.
• Health and safety: Assessing the health and safety measures in place for employees, including occupational health policies, safety training, and records of workplace accidents and incidents.
• Product liability: Evaluating the company’s responsibility towards ensuring the safety and integrity of its products, including adherence to quality standards, product recalls, and liability for product defects.
• Data protection and privacy: Assessing how the company protects customer and employee data, complies with data protection laws, and its history of data breaches or violations.
• When you use these metrics to gauge your social responsibility, you contribute to long-term value creation.

The most commonly used frameworks for ESG reporting include the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), and the Task Force on Climate-related Financial Disclosures (TCFD). Each framework offers guidelines and standards for reporting on specific ESG issues relevant to different industries.

Sustainability reporting requirements vary by jurisdiction and industry. While some countries or stock exchanges may mandate sustainability reporting for listed companies, it is still optional. However, there is a growing trend towards voluntary disclosure and transparency in sustainability practices, especially within the UK and the EU.

• Corporate Social Responsibility (CSR) refers to a company’s voluntary initiatives to operate economically, socially, and environmentally sustainable. It often involves philanthropic activities, ethical labour practices, and environmental stewardship.
• Social value: Encompasses the broader societal impacts generated by an organisation’s activities, products, and services. Beyond CSR, it includes measurable outcomes and benefits for stakeholders and communities.

• Sustainability reporting: Focuses on a company’s overall sustainability performance, including environmental, social, and economic aspects. It typically covers a broader range of topics beyond ESG criteria.
• ESG reporting: Specifically focuses on Environmental, Social, and Governance criteria used to evaluate a company’s sustainability and ethical practices. It may be a subset of sustainability reporting, emphasising these specific areas.

No, ESG is focused on managing risk and compliance, whereas social value encompasses broader societal impacts and aims to create additional value beyond risk mitigation.

ESG is important because:

• It helps investors identify well-managed and sustainable companies, reducing investment risks and promoting long-term value creation.
• It encourages companies to adopt responsible business practices, leading to positive societal and environmental impacts.
• It enhances transparency, accountability, and trust between companies and their stakeholders.

ESG stands for Environmental, Social, and Governance.

• Environmental: This refers to an organisation’s impact on the planet, including factors like carbon emissions, resource usage, and environmental conservation efforts.
• Social: This pertains to an organisation’s impact on people, encompassing its interactions with employees, customers, communities, and broader societal welfare.
• Governance: This concerns how an organisation is governed and managed, focusing on aspects like transparency, ethics, and accountability.

ESG takes a holistic view of sustainability, recognising that it extends beyond just environmental concerns to include social and governance factors.