Data security and compliance

Stakeholder engagement data is sensitive by nature. From political contacts and community feedback to consultation records and personal information, your data deserves the highest level of protection. Tractivity is built from the ground up to keep it secure, compliant, and entirely under your control.

Trusted for over 25 years by organisations including the UK Government, NHS, National Grid, EDF, and Anglian Water, Tractivity is the only fully UK-based stakeholder management platform on the market.

Independently accredited, continuously monitored

Tractivity holds both ISO 27001:2022 and Cyber Essentials Plus accreditations, two of the most rigorous information security standards recognised in the UK and internationally.

ISO 27001:2022 is the latest version of the international standard for information security management systems (ISMS), demonstrating that Tractivity maintains a systematic approach to managing sensitive data. Cyber Essentials Plus, backed by the UK National Cyber Security Centre, involves independent testing of our security controls and is a requirement for many UK government and public sector contracts.

Our system also meets the latest HIPAA standards and is hosted on Microsoft Azure, which is SOC 2 compliant.

Tractivity is also approved on the UK Government's G-Cloud framework, reflecting our compliance with public sector procurement and security standards.

Enterprise-grade infrastructure, monitored around the clock

Tractivity operates in a cloud-based, highly secure environment powered by Microsoft Azure, trusted by organisations worldwide for mission-critical workloads, including the NHS, UK and Irish government departments, and major infrastructure providers.
Our platform is monitored 24/7/365 and protected by multiple layers of security, including:

Antivirus and malware protection

Intrusion detection

Web Application Firewall (WAF)

Regular vulnerability scanning

OS file integrity monitoring

OS-level patch monitoring

Managed portal and dashboard interface

UK data residency with global hosting options

Tractivity’s default data centre is located in the UK (South London), ensuring full UK data residency for clients who require it. This is particularly important for any team handling politically sensitive or community-facing engagement data, and for organisations subject to regulatory scrutiny, such as Ofgem, the Planning Inspectorate, or judicial review. Tractivity provides a single auditable record of every stakeholder interaction, commitment, and community response, ensuring your engagement evidence is complete, traceable, and held securely within your chosen jurisdiction.

For organisations with specific regulatory or data sovereignty requirements, we offer alternative hosting regions including the EEA, the United States, and beyond. Wherever your data is hosted, it benefits from the same enterprise-grade security controls and monitoring.

Granular control over who sees what

Tractivity’s role-based permissions give administrators complete control over data access. Permissions can be configured at multiple levels, from specific projects and modules right down to confidentiality controls on ndividual records, ensuring users only see what they are authorised to see.

This is essential for organisations working with third-party contractors, multi-agency partnerships, or cross-departmental teams where confidentiality requirements differ across projects. You maintain full control without compromising collaboration.

AI-powered features with full data control

Tractivity provides a suite of secure, purpose-built AI tools designed to enhance stakeholder engagement. Our AI Sentiment Analysis automatically evaluates the tone of stakeholder interactions, whilst AI Summarise generates concise, accurate summaries of engagement records.

All AI capabilities are fully configured, managed, and secured by our team within our Microsoft Azure environment. When AI features are enabled, with your explicit consent, only the content entered into designated AI fields is securely transmitted to Azure OpenAI for processing.

Your data is never used for model training or fine-tuning. Azure OpenAI acts solely as a data processor on Tractivity’s behalf, ensuring full control, confidentiality, and compliance at all times.

Designed with accessibility in mind

The Tractivity interface meets WCAG 2.2 Level A accessibility standards and is fully mobile-responsive, ensuring users can access and update information from any device with an internet connection. This supports field teams, remote workers, and on-the-go engagement without compromising usability or security.

Accessibility is a statutory requirement for many public sector organisations, including government departments, the NHS, and local authorities. Tractivity is actively working towards WCAG 2.2 Level AA compliance, on track for release in 2026.

Built for GDPR compliance

Tractivity helps you manage stakeholder subscription preferences with confidence. All opt-ins and unsubscribes are tracked automatically, and built-in restrictions ensure you only communicate with stakeholders who have consented to that line of communication.

Data entered into Tractivity is owned by you. Your data is encrypted both in transit and at rest, and comprehensive access controls ensure it remains confidential at every level.

For organisations requiring custom integrations, Tractivity provides a fully documented API, enabling secure data exchange with external systems under your control.

Regular updates, zero disruption

Tractivity systems are upgraded on a regular basis, informed by customer feedback and developments from our expert team. Major feature releases happen every three to four months, with security patches and smaller updates deployed in between to ensure your system remains protected against emerging threats.

All releases are completed outside of working hours, typically after 7pm, and clients are always informed in advance of any scheduled maintenance. Your operations are never disrupted.

Data security frequently asked questions (FAQ)

Where is my stakeholder data stored?

By default, all data is hosted in Tractivity's UK data centre in South London, ensuring full UK data residency. Clients with specific regulatory or data sovereignty requirements can choose an alternative hosting region, including the EEA, the United States, or beyond. Wherever your data is hosted, it benefits from the same enterprise-grade security controls and 24/7/365 monitoring.

What security accreditations does Tractivity hold? Tractivity holds ISO 27001:2022 and Cyber Essentials Plus accreditations, is hosted on Microsoft Azure (SOC 2 compliant), meets the latest HIPAA standards, and is approved on the UK Government's G-Cloud framework. Systems are proactively monitored 24/7/365 by a security operations team.

Who can access my data within Tractivity? Role-based permissions give administrators complete control over data access. Permissions can be configured at multiple levels, from specific projects and modules right down to individual records. This supports organisations working with third-party contractors, multi-agency partnerships, or cross-departmental teams where confidentiality requirements differ.

How does Tractivity handle AI and my data?

All AI features run within Tractivity's Microsoft Azure environment. When enabled, with your explicit consent, only content entered into designated AI fields is processed by Azure OpenAI. Your data is never used for model training or fine-tuning. Azure OpenAI acts solely as a data processor on Tractivity's behalf.

Is Tractivity GDPR compliant?

Yes. All opt-ins and unsubscribes are tracked automatically, and built-in restrictions ensure you only communicate with stakeholders who have consented. Data entered into Tractivity is owned by you, encrypted both in transit and at rest, and protected by comprehensive access controls.

What happens if something goes wrong?

Tractivity has a fully documented Business Continuity and Disaster Recovery plan, tested regularly. Data is backed up daily, encrypted, and stored in an alternative secure location. Backups are tested weekly with file integrity checks and manual restores, signed off by a systems engineer and the Technical Director.