Trust, Security & Compliance
WYRM is built for organisations operating under UK government, CBAM, OFAC, OFSI, EU, and adjacent compliance regimes across its seven modules — the flagship engineering products MEP and Data, plus the Procure, Ledger, Cyber and Legal add-ons and the standalone Healthcare line. WYRM Healthcare additionally operates under the NHS clinical-safety regime (DCB0129 v1 Safety Case, DSPT v8 CAF-aligned, DTAC v2, WORM audit retention to NHS 25-year policy). This page sets out the current certification status, data- handling commitments, and documentation available to buyers conducting vendor due diligence.
WYRM modules are in early access — the platform is live and direct signup is open. Formal third-party security certifications are in progress; items marked On Roadmap below have a target completion date and reflect real programme commitments, not aspirations.
Security Certifications
Standards & Attestations
Certification roadmap aligned to UK public-sector and enterprise procurement requirements.
SOC 2 Type II
Independent attestation against the AICPA Trust Services Criteria for security, availability, confidentiality, processing integrity, and privacy. Programme commencing Q3 2026; report available under NDA from Q2 2027.
ISO/IEC 27001
Information Security Management System certification to the international standard. Scoping and gap analysis in progress; Stage 1 audit scheduled Q4 2026.
Cyber Essentials Plus (UK)
UK government-backed scheme verifying defence against common cyber threats. Required for many UK public-sector contracts. Assessment scheduled Q3 2026.
NHS DSPT
Data Security and Protection Toolkit — required for WYRM Healthcare engagements and any cross-module NHS or health-adjacent procurement. Interim v8 submission tracked into the WYRM Healthcare Phase H1 plan; CAF-audited DSPT scheduled for the WYRM Healthcare scale gate (~24 mo).
DCB0129 Clinical Safety Case (WYRM Healthcare)
Clinical-risk management standard for any software used in NHS clinical workflows. v1 Safety Case drafted as part of the WYRM Compass Phase H1 plan, signed by a recruited Clinical Safety Officer ahead of the first NHS pilot. Required before any clinician interaction in production.
Data Protection
GDPR, UK DPA 2018 & Residency
Data residency
Customer data is stored in the United Kingdom by default, with the option of EU residency on Enterprise tier. UK-only residency is available for public-sector and regulated-industry buyers. No customer data is stored or processed outside the declared region.
Encryption
TLS 1.3 in transit. AES-256 at rest across all databases, object storage, and backups. Key rotation every 90 days; keys managed via cloud provider KMS with per-tenant isolation on Enterprise tier.
GDPR & UK DPA 2018
WYRM is registered with the UK Information Commissioner's Office (ICO registration pending publication). A Data Processing Agreement (Article 28 GDPR) is available for download on request and applied to every Enterprise contract by default — covering all seven modules. WYRM Healthcare engagements additionally carry a per-tenant DPIA, a DCB0129 clinical-safety case, and a no-retention LLM contract for any AI inference touching patient data.
Sub-processors
A full sub-processor list is published on request, covering hosting (UK region), email delivery, error monitoring, and AI model providers. Notification of sub-processor changes follows GDPR Article 28(2) requirements.
Audit log retention
Procurement decision logs are retained immutably for seven years by default (aligned with UK Companies Act and HMRC retention requirements), extendable on Enterprise contracts. Logs are append-only and cryptographically verifiable.
Breach notification
Notification commitment of 48 hours from confirmed incident identification, with a 72-hour statutory notification to ICO where applicable under Article 33 GDPR. Incident response procedures documented and tested.
Buyer Documentation
Due Diligence & Security Questionnaires
Documentation available to procurement, legal, and security teams during vendor evaluation.
| Document | Availability |
|---|---|
| Data Processing Agreement (Article 28 GDPR) | Available on request; applied by default on Enterprise contracts. |
| Sub-processor list | Published on request. Change notifications per GDPR Article 28(2). |
| Security questionnaire (CAIQ, SIG Lite) | Completed on request during vendor evaluation. |
| Penetration test summary | Available under NDA from Q3 2026. |
| SOC 2 Type II report | Available under NDA from Q2 2027. |
| Professional indemnity & cyber liability insurance | Certificate of currency available on request for contracts above £100k. |
| UK public-sector frameworks (G-Cloud, DASA) | G-Cloud listing in preparation for CCS lot application. |
Accessibility
WCAG 2.2 AA
WYRM targets WCAG 2.2 AA conformance across the marketing site and every module dashboard, as required for UK public- sector buyers under the Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018. An accessibility statement will be published on general availability. Interim issues can be reported to info@wyrm.ai.
Company
Registered Entity
- Registered entity
- DRAVEK Holdings Ltd
- Trading name
- WYRM
- Companies House
- 17192223
- VAT number
- To be published on VAT registration
- ICO registration
- Pending publication
- Registered office
- United Kingdom — full address available on request
- Contact
- info@wyrm.ai
For vendor onboarding, security reviews, or to request documentation under NDA, contact info@wyrm.ai. For privacy enquiries, see the privacy notice.