Skip to Content
CONTACT US
CONTACT US

Trust Center

Commitment to Security and Privacy

At Dataweavers, security and privacy are foundational to how we design and deliver our Platform. We work with organisations in regulated and compliance-sensitive industries, where protection of data, operational resilience, and demonstrable governance are essential requirements.

Our operating model is deliberately designed to minimise risk and maximise customer visibility. Dataweavers’ default deployment model is within each customer’s own Microsoft Azure tenancy. All core compute, storage, networking, and customer data remain under the direct ownership, governance, and security boundary of the customer environment. This architecture ensures that customers retain sovereignty over their infrastructure, data residency, and compliance posture at all times.

Dataweavers maintains certification under ISO/IEC 27001, covering our Information Security Management System, operational processes, and platform delivery model. Our ISMS establishes a structured framework for risk management, access control, change governance, incident response, business continuity, and continuous improvement. Independent external audits provide assurance that these controls are designed and operating effectively.

By combining ISO 27001-certified operational controls with Microsoft Azure’s independently certified infrastructure, Dataweavers delivers a security model aligned with international best practice standards. Azure’s compliance attestations, including SOC 2, ISO 27018, and IRAP, extend to the underlying infrastructure within each customer tenancy. Together, this model provides enterprise-grade assurance across both operational and infrastructure layers.

This document provides an overview of our governance framework, compliance alignment, data protection commitments, and operational security controls

Our Deployment Model

Security by Architecture

Security at Dataweavers is embedded in architectural design. Our Platform is deployed within each customer’s own Microsoft Azure tenancy by default.

Customer-Tennant Deployment

All core compute, storage, networking, and data processing components are provisioned directly within the customer’s Azure subscription. This ensures:

  • Customer ownership of infrastructure resources

  • Direct visibility into security posture

  • Control over selected Azure regions and data residency

  • Alignment with existing enterprise identity

Customer production data remains within the customer’s Azure environment.

Compliance Inheritance from Microsoft Azure

Because deployments occur within the customer’s Azure tenancy, they benefit from Microsoft Azure’s independently audited compliance framework, including:

  • SOC 2

  • ISO/IEC 27018 (protection of personal data in cloud environments)

  • IRAP (where applicable by region)

These infrastructure certifications apply at the Azure platform level. Dataweavers’ ISO 27001-certified operational controls apply to the services and platform components we manage within that environment.

Architectural Risk Reduction

This deployment model reduces systemic risk by:

  • Avoiding co-mingled multi-tenant production data

  • Enabling customer-specific isolation at the infrastructure level

  • Supporting regulated industry requirements for data sovereignty

  • Allowing customers to align their own governance and policy standards

Security is therefore enforced both at the infrastructure layer through Azure and at the operational layer through Dataweavers’ ISO 27001-certified controls.

Data Protection

Dataweavers’ legal and operational framework is designed to ensure clear allocation of responsibility, protection of customer data, and transparency in how information is handled.

Data Ownership and Roles

Customer data remains the property of the Customer at all times.

When processing personal data on behalf of a Customer, Dataweavers acts as a Data Processor. The Customer acts as the Data Controller and determines the purposes and means of processing.

Dataweavers processes customer data solely for the purpose of providing the Platform and associated support and operational services, and strictly in accordance with documented customer instructions, the applicable Agreement, and the Data Processing Addendum.

Dataweavers does not sell, rent, or use customer data for independent commercial purposes.

Data Processing Addendum

Dataweavers maintains a Data Processing Addendum that forms part of the contractual framework with Customers.

The DPA defines:

    • Controller and Processor responsibilities
    • Lawful processing commitments
    • Technical and organisational security measures
    • Confidentiality obligations
    • Subprocessor governance and transparency
    • Assistance with data subject rights
    • Security incident notification obligations
    • Cross-border transfer safeguards, including Standard Contractual Clauses where applicable
    • Data return or secure deletion upon termination

The DPA ensures alignment with applicable data protection legislation, including the UK GDPR and EU GDPR where applicable.

Data Storage and Residency

Customer production environments are deployed within the Customer’s selected Microsoft Azure region. Data created and processed within the Platform remains within the Customer’s Azure tenancy.

Customers determine the geographic region in which their data is stored. Dataweavers does not replicate or transfer customer production data outside of the configured environment unless directed by the Customer.

Data Access Controls

Access to customer environments is restricted to authorised Dataweavers personnel based on role and business need.

Access is governed through:

    • Role-based access control
    • Privileged access management
    • Multi-factor authentication
    • Logged and traceable administrative activity
    • Formal access approval workflows

To deploy, operate, and support the Platform within the Customer’s Azure tenancy, Customers grant Dataweavers controlled service principal and contributor access to the hosting subscription.

Access to customer data is limited to operational support, incident response, monitoring, and support delivery activities in accordance with contractual obligations.

Data Retention and Deletion

Customer data stored within production environments remains under the Customer’s control.

Upon termination or expiration of services:

    • The Platform components are removed from the hosting subscription where applicable.
    • Customer data remains within the Customer’s Azure tenancy.
    • Where Dataweavers holds copies of customer data in accordance with the Agreement, such data will be securely returned or deleted within agreed timeframes, subject to legal or regulatory retention obligations.

Retention of operational records, including support tickets and audit logs, is managed in accordance with Dataweavers’ documented retention policies.

Subprocessors

Dataweavers engages selected third-party providers to support delivery of the Platform. These providers act as subprocessors and are contractually bound to appropriate data protection, confidentiality, and security obligations.

Key subprocessors include:

    • Microsoft Azure – Cloud infrastructure provider
    • Cloudflare – Content delivery and security services where applicable
    • Zendesk – Service management and support ticketing

Subprocessor engagement and governance are managed in accordance with the Data Processing Addendum.

Security Operations

Dataweavers operates the Platform within a structured security operations framework designed to ensure controlled change, continuous monitoring, and timely incident response.

Continuous Monitoring

Production environments are continuously monitored to detect availability issues, security events, and policy deviations.

Monitoring includes:

    • Automated alerting for infrastructure and application anomalies
    • Centralised logging and audit traceability
    • Security event analysis and escalation workflows
    • Monitoring aligned to Service Level commitments

Alerts are triaged and escalated in accordance with documented incident response procedures.

Incident Management

Dataweavers maintains a formal Incident Management process with defined severity classifications and escalation procedures.

Critical incidents are prioritised for immediate investigation and customer notification in accordance with agreed service levels. Customers receive regular updates during major incidents until service restoration.

Following resolution of a major incident, a Post-Incident Report is provided, including root cause analysis and corrective actions, typically within five business days.

Security Incident Response

Where a confirmed Security Incident affects Customer Data, Dataweavers will notify the Customer without undue delay and in accordance with contractual and regulatory obligations.

Notifications will include, where applicable:

    • Nature of the incident
    • Categories of data affected
    • Known or suspected impact
    • Mitigation actions taken
    • Contact details for further information

Dataweavers will take reasonable steps to contain, remediate, and prevent recurrence of confirmed security incidents and will provide reasonable assistance to Customers where required under applicable data protection laws.

Change Governance

All production changes are governed through a formal change management framework, including impact assessment, defined rollback procedures, approval workflows, and audit traceability.

Emergency changes are documented and reviewed in accordance with internal governance controls.

Platform & Infrastructure Security

Dataweavers applies layered technical controls across infrastructure, application, and operational domains to protect customer environments deployed within Microsoft Azure.

Infrastructure Security

Customer environments are deployed within Microsoft Azure using secure configuration baselines and environment isolation.

Infrastructure security controls include:

    • Network segmentation and controlled access pathways
    • Role-based access controls and privileged access governance
    • Integration with Azure-native security services
    • Web application firewall, DDoS and BoT protections where applicable
    • Environment-level isolation between customers

Security configurations are applied in accordance with documented deployment standards and operational governance processes.

Application Security

Application components deployed within the Platform follow secure development and deployment practices.

Controls include:

    • Peer-reviewed pull request workflows for code changes
    • Segregated development, staging, and production environments
    • Controlled deployment pipelines
    • Security-focused configuration management
    • Ongoing patching of supported platform components

Security considerations are embedded throughout the development and release lifecycle.

Vulnerability & Patch Management

Dataweavers maintains a structured vulnerability management process to identify, assess, and remediate security risks.

This includes:

    • Monitoring for newly disclosed vulnerabilities affecting supported components
    • Prioritised remediation based on severity and risk
    • Deployment of critical security updates within defined timeframes
    • Change control governance for all remediation activities

Where vulnerabilities impact third-party components, vendor advisories are reviewed and addressed as part of standard operational processes.

Audit Logging & Traceability

Customer environments maintain audit logging and traceability across administrative and operational activities.

Logging practices include:

    • Centralised log collection and retention (per client tenant) in accordance with policy
    • Administrative action logging
    • Change traceability through ticketing systems
    • Log review processes to support incident investigation and compliance reporting

Audit logs support both operational monitoring and compliance assurance requirements.

Encryption & Data Protection Controls

Data transmitted to and from customer environments is encrypted in transit using industry-standard encryption protocols.

Data stored within customer environments benefits from encryption at rest through Azure-native encryption capabilities.

Encryption keys are managed using Azure key management services and aligned to customer governance policies.

Governance & Risk Management

Dataweavers maintains a formal governance framework aligned to ISO/IEC 27001 to ensure security controls remain effective, risks are managed appropriately, and operational processes are continuously improved.

Risk Management

Amet pellentesque nunc ante fringilla vel odio. Magnis viverra at id commodo.

Security risks are identified, assessed, and treated through a structured risk management process.

This includes:

    • Periodic risk assessments
    • Evaluation of emerging threats and vulnerabilities
    • Defined risk treatment plans
    • Management oversight and review

Risks are prioritised based on impact and likelihood, with mitigation actions tracked through defined governance processes.

Change Management

All production changes are governed by a documented change management framework.

Controls include:

    • Impact and risk assessment prior to implementation
    • Defined rollback procedures
    • Peer review for code changes
    • Management approval for high-risk changes
    • Customer notification where required
    • Audit traceability through ticketing systems

Emergency changes are documented and reviewed to ensure accountability and continuous improvement.

Supplier & Third-Party Risk

Third-party providers are subject to due diligence and contractual security obligations. Subprocessor engagement is governed in accordance with the Data Processing Addendum.

Continuous Improvement

Security controls, policies, and operational procedures are reviewed on a regular basis to ensure continued effectiveness and alignment with regulatory and customer requirements.

Post-incident reviews, audit findings, and risk assessments inform ongoing improvements to the control environment.

Identity & Access Security

Dataweavers applies strict identity and access controls to ensure that access to customer environments and operational systems is appropriately restricted and governed.

Role-Based Access Control

Access to systems and customer environments is granted on a role-based, least-privilege basis. Permissions are assigned according to defined job responsibilities and operational requirements.

Access is provisioned only where required to support deployment, operation, or support of the Platform.

Privileged Access Management

Privileged access to environments is tightly controlled and limited to authorised personnel.

Controls include:

    • Approval workflows prior to granting access
    • Role-based segregation of duties
    • Logging and traceability of administrative activity

Privileged activities are subject to monitoring and review in accordance with internal security policies.

Multi-Factor Authentication

Multi-factor authentication is enforced for administrative access to operational systems and customer environments. Access to internal systems is integrated with secure identity management controls.

Access Review & Revocation

Access rights are reviewed periodically and adjusted based on role changes or operational requirements.

Corporate & Organizational Security

Dataweavers maintains organisational security controls aligned to ISO/IEC 27001 to protect customer environments, operational systems, and sensitive information.

Personnel Security

Pre-employment background screening is conducted in accordance with applicable legal requirements.

All employees and contractors are bound by confidentiality obligations and are required to comply with Dataweavers’ information security policies.

Access to customer environments is limited to authorised personnel with a defined operational requirement.

Security Awareness & Training

Security and data protection training is mandatory during employee onboarding and is refreshed annually.

Training covers:

    • Information security responsibilities
    • Secure handling of customer data
    • Phishing and social engineering awareness
    • Incident identification and reporting procedures

Ongoing awareness initiatives reinforce secure operational practices.

Internal Security Policies

Dataweavers maintains documented security policies governing:

    • Access control
    • Acceptable use
    • Information classification and handling
    • Incident response
    • Change management
    • Supplier governance

Policies are reviewed periodically and updated to reflect evolving risks and regulatory requirements.

Endpoint & Device Security

Access to operational systems is restricted to managed devices protected by:

    • Endpoint protection controls
    • Anti-malware solutions
    • Disk encryption
    • Secure authentication mechanisms

Administrative access to production environments is permitted only from secured and managed devices.

Asset Management

Dataweavers maintains an inventory of corporate assets used in the delivery and support of the Platform.

Assets are managed throughout their lifecycle, including secure provisioning, maintenance, and decommissioning.

Transparency & Assurance

Dataweavers is committed to transparency in how we manage security, privacy, and operational governance.

Certification & Documentation

Management System and operational controls.

Certification documentation and related compliance artefacts may be made available to customers under appropriate confidentiality arrangements.

Our legal and contractual framework is publicly accessible and includes:

    • Terms of Service
    • Data Processing Addendum
    • Service Level Agreement
    • Hosting Services Module
    • Platform Module
    • Service Catalogue

These documents define our security, data protection, operational, and service commitments.

Customer Assurance & Audit Support

Dataweavers supports customer due diligence and security assessments in accordance with contractual obligations.

We provide:

    • Security questionnaires and compliance responses
    • Supporting documentation where appropriate
    • Evidence of control operation under confidentiality
    • Cooperation during customer audit processes as defined in the applicable agreement

Our governance framework is designed to support regulated industry review requirements.

Responsible Disclosure

Dataweavers encourages responsible disclosure of potential security vulnerabilities.

Reports of suspected vulnerabilities are reviewed and investigated in accordance with our documented security incident management procedures.

Ongoing Commitment

Security and privacy are continuous commitments.

Dataweavers reviews and improves its security controls through:

    • Risk assessments
    • Incident analysis
    • Independent audit cycles
    • Policy reviews
    • Operational governance processes

Our objective is to provide a transparent, resilient, and defensible security posture aligned with the expectations of enterprise and regulated sector customers.