IndiVillage

Security & Procurement

Every procurement artefact your team needs. In one place.

SOC 2, ISO 27001, HIPAA with BAA, GDPR, B Corp. DPA, MSA, SIG Lite, CAIQ pre-filled. 48-hour response SLA on vendor questionnaires. Fast-lane procurement is a commercial choice, not an afterthought.

Certifications

Independent audits. Current attestations.

Every certification below is current, independently audited, and documented. Report copies are delivered under mutual NDA on request.

SOC 2 Type II

Report available under NDA

Annual Type II audit covering security, availability, confidentiality. Report delivered on request under mutual NDA; vendor security questionnaires reference the report's control matrix.

ISO 27001

Certified

Information security management system certified to ISO/IEC 27001. Annual surveillance audits. Statement of Applicability available on request.

HIPAA-aligned

BAA on request

PHI-handling workflows with access controls, audit logging, de-identification options, and BAA ready for signature before any data transfer.

GDPR

Compliant

Data Processing Agreement templated and ready. Standard Contractual Clauses for EU-to-India transfers. DPO contact on file. Subject-access-request workflow documented.

B Corp certified

Since 2019

B Lab certified B Corporation. Workforce, governance, environment, and community scored independently. Re-certified every three years.

ISO 9001

Certified

Quality management system certified to ISO 9001. Procedural backbone of the 98.7% accuracy standard.

Procurement pack

Ready on request. Delivered within 48 hours.

Request any artefact via the procurement contact form. A security or commercial lead routes the request inside one business day; delivery SLAs below.

  • Data Processing Agreement (DPA)

    GDPR-compliant DPA with Standard Contractual Clauses for EU-to-India transfers. Pre-signed by IndiVillage.

    On requestRequest

  • Master Services Agreement (MSA)

    Standard IndiVillage MSA. Red-line friendly. Typical negotiation cycle: 5-10 business days.

    On requestRequest

  • Business Associate Agreement (BAA)

    HIPAA BAA ready for signature. Required before any PHI transfer. Delivered inside 24 hours.

    On requestRequest

  • Security questionnaire (SIG Lite)

    Pre-filled SIG Lite questionnaire. Covers 100+ standard security controls.

    On requestRequest

  • CAIQ (Cloud Controls Matrix)

    Pre-filled CAIQ for customers evaluating us against Cloud Security Alliance Cloud Controls Matrix.

    On requestRequest

  • ISO 27001 Statement of Applicability

    Control applicability matrix for customers running deep-dive vendor assessments.

    On requestRequest

Procurement questions

What procurement teams ask.

How quickly can you return a security questionnaire?
48 hours for standard SIG Lite or CAIQ. Custom questionnaires with over 200 items typically close in 5 business days.
Can PHI / regulated data leave the UK / EU?
Workflows are configurable. UK/EU-only processing is available on request; default delivery uses UK/EU-to-India Standard Contractual Clauses. Healthcare customers typically use de-identified workflows for training data with identified data held in-region.
What is your data-retention policy?
Customer-defined, written into the SOW. Default is 90 days post-project-close, zero retention on request. Secure deletion certificates provided.
Do you sub-process to third parties?
All data work is delivered by IndiVillage employees in IndiVillage-operated centres. No gig-platform sub-processing, ever. Standard SaaS sub-processors (cloud, identity) are listed in the DPA.
Do you carry cyber-insurance?
Yes. Cyber-liability insurance at enterprise-appropriate limits. Certificate of insurance on request.