Pilot procurement evidence
This is not production security evidence, not a signed Data Processing Agreement, and not Cyber Essentials certified. It is a structured index of current prototype evidence and known launch blockers.
The trust centre, security questionnaire, DPA/DPIA notes, and procurement pack describe current posture and launch blockers. Buyer policy should confirm whether current controls satisfy pilot requirements.
Buyer decision summary
Suitable for controlled pilot procurement review, not production procurement approval. The pack is a review-room index for current evidence, named buyer owners, and production blockers.
It carries the UK social-landlord buyer scope while limiting Awaab's Law legal-scope wording to the England social rented sector.
Security questionnaire material is suitable for controlled pilot security review, not production security approval. The DPA/DPIA material is a technical annex for customer legal and DPO review, not a signed DPA.
Review owners and open decisions
| Owner | Open decision | Current evidence |
|---|---|---|
| customer legal/DPO owner | confirm Article 28 terms, DPIA, lawful basis, privacy information, retention and deletion/return instructions, and transfer assessment. | docs/dpa-dpia-technical-annex.md and /data-processing-and-cookies. |
| security owner | confirm security questionnaire, Cyber Essentials path, NCSC mapping, vulnerability management, identity controls, and audit evidence. | docs/security-questionnaire-readiness.md and /trust-centre. |
| operations owner | confirm incident rota, monitored security contact, backup/restore evidence, restore-test evidence, and support escalation path. | docs/security-contact-intake-draft.md, docs/security-incident-response-draft.md, and docs/backup-restore-dr-draft.md. |
Artifact index
| Artifact | Path | Current status | Not yet evidence of |
|---|---|---|---|
| Security Questionnaire Readiness | docs/security-questionnaire-readiness.md | Structured buyer-questionnaire answers with evidence links and gaps. | Completed security questionnaire, signed DPA, certification, or pen test. |
| Security Procurement Baseline | docs/security-procurement-baseline.md | Prototype access-control and tenant-isolation evidence. | Production SSO, MFA, pen test, immutable audit log, or signed bundle. |
| DPA DPIA Technical Annex | docs/dpa-dpia-technical-annex.md | Technical input for customer legal and privacy review. | Signed Article 28 terms, completed DPIA, or legal-approved DPA. |
| Dependency Security Checks | docs/dependency-security-checks.md | Local direct-dependency notes and follow-up controls. | Isolated build audit, vulnerability scan, lockfile, or CI security gate. |
| Security Incident Response Draft | docs/security-incident-response-draft.md | Draft intake, triage, breach-assessment, and preservation workflow. | Live security contact, breach-notification SLA, or tabletop evidence. |
| Security Contact Intake Draft | docs/security-contact-intake-draft.md | Draft contact placeholder, vulnerability-disclosure, and incident metadata. | Live monitored contact, security.txt, vulnerability programme, or SLA. |
| Backup Restore DR Draft | docs/backup-restore-dr-draft.md | Draft RPO/RTO, restore-test, and backup evidence requirements. | Approved production backup system, restore-test evidence, or DR SLA. |
| Trust Centre | docs/trust-centre.md | Procurement posture, official references, and launch gates. | Certification, approved subprocessors, backup/DR evidence, or incident SLA. |
Next evidence required before production
- Customer-approved DPA and DPIA support pack.
- Approved subprocessor schedule and data-residency evidence.
- Cyber Essentials or buyer-approved equivalent evidence.
- Dependency audit in an isolated project environment.
- Backup, restore, incident-response, and key-management evidence.