Security & compliance. Honestly documented.
Certified to ISO/IEC 27001:2022 + ISO/IEC 27701. ISMS established 2026-05-26 and operating across the platform. EU data residency (AWS eu-west-1 / Dublin). Full evidence binder available to customers under NDA.
The honest timeline.
We ran the ISMS before we ever booked an audit. Below is the journey behind the certificate, in the order it actually happened — the same evidence trail we show customers under NDA.
ISMS established
2026-05-26. 22 policies, 13 procedures, ROPA, SoA covering all 93 Annex A controls, risk register with 30 risks tracked + treated.
Internal audit
Independent internal audit against ISO 27001:2022 + ISO 27701. Findings remediated; second-line review completed.
Stage 1 external audit
Documentation review by the certification body. ISMS confirmed ready for the operational audit.
Stage 2 + certificate
On-site operational audit passed. Certified to ISO/IEC 27001:2022 + ISO/IEC 27701 on a 3-year cycle; surveillance audits annually.
What our sub-processors already hold.
Our own certification is only part of the picture — the platform also stands on audited sub-processors. Their reports are referenced in our ISMS sub-processor schedule.
AWS (compute, storage, DB)
ISO 27001, 27017, 27018, SOC 1/2/3, PCI DSS Level 1, C5, ENS High. Customer agreement under EU SCC + DPA.
Stripe (payments)
PCI DSS Level 1, SOC 1/2 Type 2, ISO 27001. Stripe Connect handles all card data; we never store PANs.
OpenAI (AI features)
SOC 2 Type 2; EU endpoints with the no-training flag enabled for all customer data.
Email & messaging (AWS)
Transactional email and notifications delivered via AWS services; inherits the AWS attestations above.
Dublin. Just Dublin.
Application data
Stored and processed in AWS Dublin (eu-west-1), highly available across availability zones, encrypted at rest and in transit.
Documents & files
Same region, encrypted, versioned, with long-term archival handled inside the EU.
Backups
All backups stay in eu-west-1. No cross-region replication, ever. Retention per ISMS schedule.
Privacy engineered, not bolted on.
ROPA (Controller + Processor)
Records of Processing Activities maintained per Article 30 GDPR. Covers customer data, staff data, partner data. Available on request.
DPA
EU-compliant Data Processing Agreement with sub-processor list, SCCs, security schedule, Transfer Risk Assessments. Signed at onboarding.
DPO
Designated Data Protection Officer. Contact: dpo@inntally.com. Responds to DSARs within 30 days.
DPIAs
Data Protection Impact Assessments completed for AI invoice processing, staff biometric clock-in, customer marketing. Reviewed annually.
The day-to-day operational posture.
The commitments, at a glance. Implementation detail is deliberately not published here — it lives in the evidence binder, shared with customers under NDA.
Encryption everywhere
All data encrypted in transit and at rest, with managed key rotation and modern credential hashing.
Strong authentication
Two-factor authentication as standard. Enterprise SSO and automated user provisioning on Custom Rollout.
Tenant isolation
Strict multi-tenant isolation enforced in the platform core. Cross-tenant access is blocked by design and continuously tested.
Tamper-evident records
Legal agreements and acceptances are held in an append-only, integrity-guaranteed evidence chain.
Monitoring + alerting
Centralised logging and metrics, a managed web application firewall at the edge, and 24x7 on-call for critical alerts.
Vulnerability management
Automated dependency and code scanning on every change. CVE triage SLA: critical ≤ 24 hrs, high ≤ 7 days.
Backups + DR
Continuous point-in-time recovery plus daily snapshots, tested restores. RPO ≤ 15 min, RTO ≤ 4 hrs.
Pen testing
Annual external penetration testing by an independent firm. Findings tracked in the risk register; remediation evidenced.
How to report, how we respond.
Security disclosures
Email security@inntally.com. PGP key on request. Reports acknowledged within 24 hours.
Customer notification
Affected customers notified within 72 hours of confirmed breach — aligned with GDPR Article 33 + 34.
Authority notification
Irish DPC notified within 72 hours where applicable. DPO leads liaison.
Coordinated disclosure
Standard 90-day coordinated disclosure. Credit given to researchers (with consent).
What you get when you ask.
Under a one-page NDA, customers receive the full evidence binder — the same package an auditor would. Regenerated for each request so it always reflects the current ISMS.
Scope & context
ISMS scope statement, organisational chart, interested-parties register.
Policies (22)
Information security policy + 21 supporting policies. Reviewed annually.
Statement of Applicability
SoA covering all 93 Annex A controls (ISO 27001:2022) + extension controls (ISO 27701).
Risk register
30 risks identified, assessed, treated. Treatment plans + owners.
ROPA
Records of Processing Activities — Controller part + Processor part. Sub-processor list.
Procedures (13)
Access management, incident response, change management, backup, supplier review, etc.
Records
Training, internal audit findings, management review minutes, asset register.
Customer-facing summary
26-page PDF binder for procurement teams. Public version (no confidential controls detail).
The right inbox for the right question.
Security disclosures
security@inntally.com — vulnerability reports, incident notifications, pen test coordination.
Data protection
dpo@inntally.com — DSARs, DPIAs, sub-processor questions, GDPR queries.
Privacy team
privacy@inntally.com — marketing preferences, opt-outs, general privacy queries.
Legal
legal@inntally.com — contracts, MSA, DPA, NDA, custom terms.
The questions procurement teams ask.
Are you actually ISO 27001 certified?
Where is the data?
Sub-processors?
Transfer mechanisms (US sub-processors)?
How do you handle DSARs?
Pen test reports?
SLA on uptime?
What happens to data on cancellation?
Request the binder. Send it to your CISO.
Under a one-page NDA, you get the full ISMS evidence package. Saves you 3 weeks of back-and-forth.