Can we use this for a controlled pilot review now?
Yes, for design-partner evaluation or a controlled pilot using agreed data boundaries; not for broad production rollout or live statutory-clock reliance.
Current Status
DPA/DPIA
Technical annex exists; formal DPA and DPIA approval are not complete.
Technical annex exists; formal DPA and DPIA approval are not complete.
Cyber Essentials
Awaab EvidenceOS is not yet Cyber Essentials certified.
Awaab EvidenceOS is not yet Cyber Essentials certified.
Subprocessors
No production subprocessors have been appointed.
No production subprocessors have been appointed.
Buyer questions this page answers
What controls are implemented today?
Current code supports role-bound operator keys, organisation allowlisting, single-use proof links, manual retention preview and deletion runs, JSON audit export, redaction stale-source checks, and prototype restore-probe evidence.
What remains a blocker before production?
production SSO, MFA, SCIM, password policy, and persistent user directory; monitored security contact and approved incident rota; encrypted production storage and backups; customer-approved DPA/DPIA; certification evidence; and a signed or immutable evidence bundle.
Prototype Controls
- Operator endpoints fail closed when a data store is configured without credentials.
- API keys can be role-bound with organisation allowlisting for prototype operation.
- Proof-link submissions are HMAC-signed, expiry-checked, and single-use when persisted.
- Retention controls expose manual retention preview and deletion runs with audit events for eligible inactive cases.
- JSON audit export is available to auditor/admin roles for organisation-scoped review windows.
- Redactions use source-hash stale checks and audit events that avoid original raw values.
- Evidence packs include statutory citations, source registers, custody steps, source hashes where available, and pack hashes.
Production Launch Gates
- Customer-approved Article 28 processor terms and DPIA support pack.
- Approved subprocessor schedule and data-residency evidence.
- Cyber Essentials or buyer-approved equivalent evidence.
- NCSC Cloud Security Principles mapping.
- Production identity, MFA, key management, encrypted storage, backups, restore tests, and incident-response evidence.
Incident Response
Security incident-response draft exists at docs/security-incident-response-draft.md. It is not a live breach-notification SLA, and no security contact, tabletop evidence, or production incident rota has been approved.
Security contact and incident-intake draft exists at docs/security-contact-intake-draft.md. It is a placeholder only, not a live monitored security contact, and not a vulnerability disclosure programme.
Backup and Restore
Backup and restore draft exists at docs/backup-restore-dr-draft.md. It is not restore-test evidence. No approved production backup system, customer RPO, or customer RTO exists yet.