Procurement-ready evidence for HR, IT and Security teams.

Rockface processes employee, candidate, performance and compensation data on behalf of our customers. We treat that data with the controls and contractual posture an enterprise HR, IT or Security team would build themselves: defence in depth, least privilege, regional residency, and contractual transparency from sign-up to deletion.

• We are the processor; you remain controller of all workforce data.
• Customer data is never used to train shared or general-purpose AI models.
• Region-pinned hosting in EU, UK, US and APAC.
• SSO, SCIM, audit log streaming and customer-managed keys on Enterprise.

Our data protection programme is built to satisfy UK GDPR, EU GDPR and the UK Data Protection Act 2018. Full detail is in our Privacy Notice and DPA.

• Standard DPA with UK IDTA and EU SCCs (Module 2) included by default.
• Records of Processing Activities (ROPA) maintained and shareable on request.
• DPIA template provided to customers for their own AI risk assessment.
• Named Data Protection Officer; published contact at rockface@rockface.biz.
• Data subject request workflow with 30-day turnaround support to controllers.
• Sub-processor list with 30-day change notification (see /legal/subprocessors).

• ISO 27001-aligned ISMS with annual external audit.
• Annual independent penetration test; remediation tracked to closure.
• Continuous vulnerability scanning across infra and dependencies.
• Mandatory secure-coding and privacy training for every engineer, annually.
• Background checks and confidentiality agreements for all staff with production access.
• Hardened build pipeline with signed artefacts and SBOM generation.
• Web application firewall, DDoS protection and bot mitigation at the edge.
• Secrets managed via cloud KMS; no production credentials on laptops.

• Role-based access control with custom roles on Enterprise.
• SCIM 2.0 user provisioning and de-provisioning.
• Just-in-time, time-bound production access for staff with full audit trail.
• MFA enforced on all employee accounts and admin consoles.
• Customer admins can enforce MFA, session length and IP allow-lists.
• Separation of duties between development, infra and customer support.

Single sign-on is included on Enterprise — not gated as an add-on. We support any SAML 2.0 identity provider including Okta, Microsoft Entra ID (Azure AD), OneLogin, Ping and Google Workspace.

• SAML 2.0 SSO with IdP-initiated and SP-initiated flows.
• OpenID Connect (OIDC) supported alongside SAML.
• SCIM 2.0 for automated provisioning and group-to-role mapping.
• Domain capture so all users on your domain route through SSO.
• Optional enforcement: block password sign-in for SSO domains.

• Immutable audit log of every admin and end-user action.
• Includes actor, action, target, IP, user agent and timestamp.
• 13-month retention by default; extendable on Enterprise.
• Streamable to your SIEM via webhook, S3 or Splunk HEC.
• Export to CSV/JSON from the admin console.
• AI feature usage and model outputs logged for explainability reviews.

Customer data — including backups and AI feature outputs — is pinned to the region you select at provisioning. Cross-region access by our staff requires customer authorisation and is logged.

Per-record and bulk deletion are available via the admin console and API. Deletions cascade through derived AI outputs within 30 days.

• Encrypted backups taken continuously (point-in-time recovery, 35-day window).
• Backups stored in a separate availability zone within your region.
• RPO ≤ 5 minutes; RTO ≤ 4 hours for full-region failover.
• DR exercises run twice a year with documented results available under NDA.
• 99.95% uptime SLA on Enterprise; status page with public incident history.

• 24/7 on-call security and SRE rotation.
• Documented IR plan aligned to NIST SP 800-61 and ISO 27035.
• Personal data breach notification to controllers without undue delay (within 72 hours).
• Status page with real-time incident updates and post-mortems.
• Annual tabletop exercises covering ransomware, account takeover and supply-chain scenarios.

• Customer data is NOT used to train shared or general-purpose models.
• Per-tenant model isolation — outputs are never blended across customers.
• Explainability for every production model: top contributing factors per output.
• Adverse-impact testing across protected characteristics, where lawful.
• Customer can disable any AI feature; derived outputs deleted within 30 days.
• Aligned with the EU AI Act high-risk obligations and the UK ICO AI guidance.
• Custom AI policies on Enterprise: control which features run, on what data, for which roles.

Reports and questionnaires (SOC 2, ISO 27001 SoA, CAIQ, SIG Lite) are available under mutual NDA. Email rockface@rockface.biz with your DD pack.