Trust Centre

Trust, Security & Compliance

WYRM Sentinel is built for procurement teams operating under UK government, CBAM, OFAC, OFSI, and EU compliance regimes. This page sets out the current certification status, data-handling commitments, and documentation available to buyers conducting vendor due diligence.

Sentinel is currently in pre-launch. Certification status reflects real programme progress; items marked On Roadmap are scheduled for completion before general availability.

Security Certifications

Standards & Attestations

Certification roadmap aligned to UK public-sector and enterprise procurement requirements.

On Roadmap

SOC 2 Type II

Independent attestation against the AICPA Trust Services Criteria for security, availability, confidentiality, processing integrity, and privacy. Programme commencing Q3 2026; report available under NDA from Q2 2027.

On Roadmap

ISO/IEC 27001

Information Security Management System certification to the international standard. Scoping and gap analysis in progress; Stage 1 audit scheduled Q4 2026.

In Progress

Cyber Essentials Plus (UK)

UK government-backed scheme verifying defence against common cyber threats. Required for many UK public-sector contracts. Assessment scheduled Q3 2026.

On Roadmap

NHS DSPT

Data Security and Protection Toolkit — required for any engagement involving NHS or health-adjacent procurement. Submission planned after Cyber Essentials Plus.

Data Protection

GDPR, UK DPA 2018 & Residency

Data residency

Customer data is stored in the United Kingdom by default, with the option of EU residency on Enterprise tier. UK-only residency is available for public-sector and regulated-industry buyers. No customer data is stored or processed outside the declared region.

Encryption

TLS 1.3 in transit. AES-256 at rest across all databases, object storage, and backups. Key rotation every 90 days; keys managed via cloud provider KMS with per-tenant isolation on Enterprise tier.

GDPR & UK DPA 2018

WYRM Sentinel is registered with the UK Information Commissioner's Office (ICO registration pending publication). A Data Processing Agreement (Article 28 GDPR) is available for download on request and applied to every Enterprise contract by default.

Sub-processors

A full sub-processor list is published on request, covering hosting (UK region), email delivery, error monitoring, and AI model providers. Notification of sub-processor changes follows GDPR Article 28(2) requirements.

Audit log retention

Procurement decision logs are retained immutably for seven years by default (aligned with UK Companies Act and HMRC retention requirements), extendable on Enterprise contracts. Logs are append-only and cryptographically verifiable.

Breach notification

Notification commitment of 48 hours from confirmed incident identification, with a 72-hour statutory notification to ICO where applicable under Article 33 GDPR. Incident response procedures documented and tested.

Buyer Documentation

Due Diligence & Security Questionnaires

Documentation available to procurement, legal, and security teams during vendor evaluation.

Document	Availability
Data Processing Agreement (Article 28 GDPR)	Available on request; applied by default on Enterprise contracts.
Sub-processor list	Published on request. Change notifications per GDPR Article 28(2).
Security questionnaire (CAIQ, SIG Lite)	Completed on request during vendor evaluation.
Penetration test summary	Available under NDA from Q3 2026.
SOC 2 Type II report	Available under NDA from Q2 2027.
Professional indemnity & cyber liability insurance	Certificate of currency available on request for contracts above £100k.
UK public-sector frameworks (G-Cloud, DASA)	G-Cloud listing in preparation for CCS lot application.

Accessibility

WCAG 2.2 AA

WYRM Sentinel targets WCAG 2.2 AA conformance across the marketing site and dashboard, as required for UK public-sector buyers under the Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018. An accessibility statement will be published on general availability. Interim issues can be reported to accessibility@wyrm.ai.

Company

Registered Entity

Trading name: WYRM Sentinel
Companies House: Registration pending — to be published on incorporation
VAT number: To be published on VAT registration
ICO registration: Pending publication
Registered office: United Kingdom — full address published on incorporation
Contact: hello@wyrm.ai

For vendor onboarding, security reviews, or to request documentation under NDA, contact trust@wyrm.ai. For privacy enquiries, see the privacy notice.