Security & compliance. Honestly documented.
ISO 27001 + 27701 ISMS established 2026-05-26. Stage 1 audit targeted Q3/Q4 2026; certificate target Q1–Q2 2027. EU data residency (AWS eu-west-1 / Dublin). Full evidence binder available to customers under NDA.
The honest timeline.
We don’t claim to be certified. We’re running a credible ISMS now, and on track for certification audits in the next 12–18 months. Below is the roadmap, the work already done, and what comes next.
ISMS established
2026-05-26. 22 policies, 13 procedures, ROPA, SoA covering all 93 Annex A controls, risk register with 30 risks tracked + treated.
Internal audit
Q2–Q3 2026. Independent internal audit against ISO 27001:2022 + ISO 27701:2019. Findings remediated; second-line review.
Stage 1 external audit
Targeted Q3/Q4 2026. Documentation review by certification body. Confirms ISMS readiness for Stage 2.
Stage 2 + certificate
Targeted Q1–Q2 2027. On-site operational audit. Certificate issued for 3-year cycle; surveillance audits annually.
What our sub-processors already hold.
Until we’re certified ourselves, the strongest security signal is who we depend on — and what they’ve attested to. Their reports are referenced in our ISMS sub-processor schedule.
AWS (compute, storage, DB)
ISO 27001, 27017, 27018, SOC 1/2/3, PCI DSS Level 1, C5, ENS High. Customer agreement under EU SCC + DPA.
Stripe (payments)
PCI DSS Level 1, SOC 1/2 Type 2, ISO 27001. Stripe Connect handles all card data; we never store PANs.
OpenAI (AI inference)
SOC 2 Type 2; EU API with no-training flag enabled. Used for AI invoice extraction + RAG search.
SES + SNS + SQS
Inherits AWS attestations. Used for transactional email + queue infrastructure.
Dublin. Just Dublin.
Postgres (Aurora)
eu-west-1. Multi-AZ. Encrypted at rest (KMS), in transit (TLS 1.2+). PITR + nightly snapshots.
Object storage (S3)
eu-west-1. SSE-S3 + SSE-KMS for sensitive buckets. Versioning + lifecycle to Glacier.
Cache (Redis)
ElastiCache eu-west-1. In-transit encryption. Used for sessions + BullMQ.
Backups
All backups stay in eu-west-1. No cross-region replication. Retention per ISMS schedule.
Privacy engineered, not bolted on.
ROPA (Controller + Processor)
Records of Processing Activities maintained per Article 30 GDPR. Covers customer data, staff data, partner data. Available on request.
DPA
EU-compliant Data Processing Agreement with sub-processor list, SCCs, security schedule, Transfer Risk Assessments. Signed at onboarding.
DPO
Designated Data Protection Officer. Contact: dpo@inntally.com. Responds to DSARs within 30 days.
DPIAs
Data Protection Impact Assessments completed for AI invoice processing, staff biometric clock-in, customer marketing. Reviewed annually.
The day-to-day operational posture.
Encryption
TLS 1.2+ in transit. AES-256 at rest (KMS). HSTS + secure cookies. Argon2id password hashing.
Authentication
Password + 2FA (TOTP, SMS optional). SSO (SAML 2.0 / OIDC) + SCIM on Custom Rollout.
Tenant isolation
Multi-tenant via Sequelize hooks; client_id enforced at the model layer; cross-tenant queries impossible by construction.
Append-only audit
Postgres triggers block UPDATE/DELETE on legal_agreements + acceptances. Integrity-guaranteed evidence chain.
Monitoring + alerting
CloudWatch logs + metrics. WAFv2 in front of CloudFront. PagerDuty on critical alerts; 24x7 on-call.
Vulnerability management
Snyk + npm audit on every PR. SBOM published. CVE triage SLA: critical ≤ 24 hrs, high ≤ 7 days.
Backups + DR
Aurora PITR (35 days), nightly S3 snapshots. RPO ≤ 15 min for DB, ≤ 24 hr for object storage. RTO ≤ 4 hrs.
Pen testing
Annual external penetration test (next scheduled Q4 2026). Findings tracked in risk register; remediation evidenced.
How to report, how we respond.
Security disclosures
Email security@inntally.com. PGP key on request. Reports acknowledged within 24 hours.
Customer notification
Affected customers notified within 72 hours of confirmed breach — aligned with GDPR Article 33 + 34.
Authority notification
Irish DPC notified within 72 hours where applicable. DPO leads liaison.
Coordinated disclosure
Standard 90-day coordinated disclosure. Credit given to researchers (with consent).
What you get when you ask.
Under a one-page NDA, customers receive the full evidence binder — the same package an auditor would. Lives in inntally_backend/compliance/iso27001/07_evidence-binder/ and is regenerated for each request.
Scope & context
ISMS scope statement, organisational chart, interested-parties register.
Policies (22)
Information security policy + 21 supporting policies. Reviewed annually.
Statement of Applicability
SoA covering all 93 Annex A controls (ISO 27001:2022) + extension controls (ISO 27701).
Risk register
30 risks identified, assessed, treated. Treatment plans + owners.
ROPA
Records of Processing Activities — Controller part + Processor part. Sub-processor list.
Procedures (13)
Access management, incident response, change management, backup, supplier review, etc.
Records
Training, internal audit findings, management review minutes, asset register.
Customer-facing summary
26-page PDF binder for procurement teams. Public version (no confidential controls detail).
The right inbox for the right question.
Security disclosures
security@inntally.com — vulnerability reports, incident notifications, pen test coordination.
Data protection
dpo@inntally.com — DSARs, DPIAs, sub-processor questions, GDPR queries.
Privacy team
privacy@inntally.com — marketing preferences, opt-outs, general privacy queries.
Legal
legal@inntally.com — contracts, MSA, DPA, NDA, custom terms.
The questions procurement teams ask.
Are you actually ISO 27001 certified?
Where is the data?
Sub-processors?
Transfer mechanisms (US sub-processors)?
How do you handle DSARs?
Pen test reports?
SLA on uptime?
What happens to data on cancellation?
Request the binder. Send it to your CISO.
Under a one-page NDA, you get the full ISMS evidence package. Saves you 3 weeks of back-and-forth.