ThisBeforeThat Security - Frequently Asked Questions
How do SocialOptic keep my data secure?
Handling your data securely is our top priority. We make significant and continual investments in security, both in terms of our technical infrastructure, and also in our skills and knowledge. SocialOptic is certified to ISO/IEC 27001:2022, the globally recognised standard for information security. We also hold ISO 9001:2015 certification, ensuring that our processes are robust and continually monitored and improved.
Where is data stored?
For our UK customers, all data is held within the UK — in Microsoft Azure's UK regions (UK South and UK West) — across multiple data centres for resilience. Our ThisBeforeThat Enterprise Edition provides options for maintaining data within the EU, US, Canada or Australia.
The geographically dispersed datacenters comply with industry standards including ISO/IEC 27001:2022 and NIST SP 800-53, for security and reliability. There is a layered approach to physical security and all data centres have extensive layers of protection including access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Fences, video monitoring and security patrols protect the external perimeter. Inside, movement is controlled by two-factor authentication with biometric controls.
How is ThisBeforeThat data secured?
Data is encrypted during transport and at rest. That means that all data is secured between users’ browsers and our servers using TLS (Transport Level Security, the successor technology to SSL) and while stored on servers (encryption at rest). There are a wide range of technical measures used to secure data, including multiple firewall technologies and intrusion prevention and intrusion detection measures as well as real-time monitoring and alerting, supported by both manual and automated scanning. These controls are internally audited and also checked by an external auditor to ensure we are continuously providing the highest levels of security.
ThisBeforeThat processes dependency-mapping and prioritisation data — relationships, options, priority decisions and collaboration notes — plus account details.
How is ThisBeforeThat developed securely?
Security is built into how we develop ThisBeforeThat, following a secure-by-design approach aligned with the NCSC Cloud Security Principles and the NIST Secure Software Development Framework (SSDF, SP 800-218). Every change is peer-reviewed through pull requests on protected branches before it is released. Our continuous integration pipelines run automated test suites and type checking, and gate any build that does not pass. We use automated dependency scanning (software composition analysis) with managed updates to catch known vulnerabilities in third-party components, alongside static application security testing (SAST) and secret scanning, so issues are found and fixed early.
Will I be notified if there is a breach?
SocialOptic has a full incident management process. In line with both UK GDPR and EU GDPR, you will receive notification within 72 hours of us becoming aware of a breach. We have processes to ensure that we meet this requirement, should this ever be required, and our internal SLA is to notify within 24 hours wherever possible. We also maintain a published Responsible Vulnerability Disclosure Policy.
Is ThisBeforeThat backed up and resilient?
ThisBeforeThat is built for resilience. Customer data is held in the UK with regular backups and multi-site failover — a primary UK data centre, live mirroring to a secondary UK data centre, and a tertiary UK stand-by for disaster recovery. We target a service availability of 99.99%.
Does ThisBeforeThat make me GDPR compliant?
No product can make you GDPR compliant, as compliance is a process, not a purchase, in much the same way that no guitar manufacturer can promise that buying their guitar will make you a successful rock guitarist. However, ThisBeforeThat provides all of the tools that you need to meet the requirements of GDPR (both UK GDPR and EU GDPR) as well as a range of other data regulations, and we are continually reviewing and expanding the features available. This includes responding to data subject access requests, right to erasure, records of processing and a range of other features that will greatly reduce the effort of being, and remaining, compliant with current and future compliance requirements.
Do you provide a Data Processing Agreement and a list of sub-processors?
For the personal data you put into ThisBeforeThat, you are the data controller and SocialOptic acts as your data processor. We provide a Data Processing Agreement (DPA) that meets the requirements of UK GDPR Article 28 as part of contracting. Where data is transferred outside the UK for Enterprise customers, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
Our core infrastructure is provided by Microsoft Azure in the UK. We maintain a current list of the sub-processors we use to deliver ThisBeforeThat — with each one’s purpose and location — and we notify customers of changes. You can request our DPA and sub-processor list via the SocialOptic Trust Hub.
Security Certification
SocialOptic holds a Whole Organisation Cyber Essentials Plus certification and publishes a CAF-aligned NHS Data Security and Protection Toolkit assessment (Organisation ID Z7I7E) that consistently rates “Standards Exceeded” against the UK National Data Guardian’s 10 data security standards. This means our security is externally tested and audited. SocialOptic is registered with the ICO in the UK - ZA092349.
Is ThisBeforeThat suitable for UK government, NHS and public-sector use?
Yes. ThisBeforeThat is designed and operated in line with the NCSC Cloud Security Principles, and is suitable for information classified at OFFICIAL (including OFFICIAL-SENSITIVE handling). Our security framework is aligned with the NCSC Cyber Assessment Framework (CAF): we maintain a CAF supplier security assessment on Risk Ledger, and our CAF-aligned NHS DSPT, ISO/IEC 27001:2022 and Cyber Essentials Plus certifications underpin that alignment. We can provide a mapping of our controls to the CAF objectives — including A4 (Supply Chain) — to support your own GovAssure or local-government CAF assessment.
Is ThisBeforeThat accessible?
Accessibility is built in: the ThisBeforeThat interface is designed and tested to meet the Web Content Accessibility Guidelines (WCAG) 2.2 at Level AA, the standard required of UK public-sector services.
Trust Hub
If you would like specific details of our certifications, you can request these via the SocialOptic Trust Hub.
If you are an Enterprise user of Risk Ledger, you can connect to our risk assessment.
Last reviewed: June 2026.