Security & compliance
Built for organisations the country depends on.
SignetAssure handles some of the most sensitive data an organisation holds — personnel records, clearances, access. We treat it accordingly, by design and by default.
Foundations
Defence-grade by design.
UK sovereign hosting
Data hosted in UK regions on infrastructure suited to HMG and CNI workloads. Residency configurable, not aspirational.
Encryption everywhere
At rest with managed keys, in transit with TLS. Documents encrypted per-tenant — no shared blob stores.
SSO & MFA
M365 / Entra ID OAuth2 for dev and test. LDAP-AD for production. Enforced MFA, session controls and IP allow-listing.
Role-based access
Six roles out of the box, each scoped to least privilege. Field-level edit permissions and approval queues for sensitive changes.
Signed audit trail
Every action time-stamped and tamper-evident. System-wide event log, searchable and exportable for DSO assurance.
Secure development
Security review, dependency scanning and penetration testing in the release path. Findings tracked, fixes timed.
UKSV alignment
Native to BPSS, CTC, SC, DV and eDV.
First-class clearance levels
BPSS, CTC, SC, DV and eDV are modelled as proper clearance types — not generic case categories. Renewal logic, parent/child links, NSV submissions and external clearance tracking all work the way UKSV expects.
Vetting officer workflow
Approve, reject, withdraw, link renewals, track external clearances and own the case. The platform supports the role; it doesn’t try to replace it.
UK GDPR & DPA 2018
Lawful basis tracked at field level. Data minimisation, retention rules and subject-rights workflows built in — not bolted on.
Cyber Essentials & ISO 27001 posture
Built and operated to recognised UK security baselines, with the controls and evidence to support enterprise procurement.
Need-to-know by default
Self-service that respects the security model.
Individuals see only their own
MyInfo exposes a person’s own clearances, pass status, vehicles, parking and travel — and nothing else.
Roles see only what they need
Vetting officers see vetting. Security supervisors see access. Comms managers see groups. Separation of duties is the default.
Field-level edit control
Edit permissions are scoped per field, not just per screen. Sensitive fields route through change requests.
Per-person audit
Every change to a record, with actor, timestamp and reason where required. A clean answer to “who did what?”
Area-owner approvals
Access requests for owned areas route to the area owner. Decisions are logged, not whispered.
Change-request approvals
Photo updates and other sensitive changes require sign-off. No silent edits to identity-bearing fields.
Due diligence pack