Procurement

Procurement FAQ

For legal, risk, and procurement teams evaluating BuiltByGo.

What is your company structure?

BuiltByGo Ltd is a private limited company registered in England and Wales (Company No. 11121829), established in December 2017. Registered office: The Mill House Court Farm, Church Lane, Norton, Worcester, WR5 2PS. We are ICO-registered (ZA564668) and fully UK GDPR compliant.

Do you have a DPA?

Yes. Our Data Processing Agreement is publicly available, reflects UK GDPR Article 28 requirements, and is incorporated into all client engagements. Per-engagement specifics (categories of data subjects, processing activities, regional residency) are recorded in each Statement of Work.

Where is data processed and stored?

By default, client data is stored in the UK region (Supabase London / eu-west-2). Alternative regions — EU-West, Latin American regions, US — are selectable per engagement at scoping based on data subject geography and regulatory requirements.

For sub-processors hosted outside the UK, we maintain UK International Data Transfer Agreements (IDTA), International Data Transfer Addenda to the EU SCCs, or equivalent mechanisms. Transfer Risk Assessments are documented for each sub-processor where applicable.

See our DPA and Sub-processors register for full details.

Who are your sub-processors?

We publish our complete sub-processor register at builtbygo.com/subprocessors. The current register includes:

We notify clients at least 30 days before adding any new sub-processor, with a 14-day objection window.

What security measures do you have?

TLS 1.3 encryption in transit, AES-256 encryption at rest, least-privilege access controls, 2FA on all infrastructure and administrative access, vulnerability scanning, documented incident response plan, annual staff training, and managed insurance cover.

Our operational security controls are aligned with the ISO/IEC 27001 control families and the NIST Cybersecurity Framework.

Full details on our Security & Trust page.

Do you have a standard MSA?

Yes. We have a standard institutional Master Services Agreement (MSA) for project engagements, covering data protection, intellectual property, liability, acceptance criteria, change control, backup and disaster recovery, accessibility, insurance, and termination. Available on request via legal@builtbygo.com.

Do you complete security questionnaires?

Yes. We complete standard security questionnaires (including CAIQ, SIG, ISO 27001-aligned, and custom client formats). Typical turnaround is 5–10 working days depending on complexity.

For frequently-requested information, our Security & Trust page and DPA cover most standard questionnaire items in advance.

What insurance do you carry?

Certificates available on execution of NDA or MSA. Contact: legal@builtbygo.com.

What is your liability cap?

For institutional engagements under our standard MSA, BuiltByGo's total aggregate liability is capped at the total fees paid for the engagement plus the value of ongoing fees paid in the twelve months preceding the date of claim. Carve-outs from the cap include death or personal injury caused by negligence, fraud, breach of confidentiality, wilful misconduct or gross negligence, IP infringement indemnification, and any liability that cannot be limited at law.

What is your incident response commitment?

Personal data breaches affecting client data are reported to affected clients without undue delay and in any event within 72 hours of becoming aware of the breach, in compliance with UK GDPR Article 33 and our DPA Section 7.

Our incident response process covers identification, containment, eradication, recovery, and post-incident review. P1 incidents trigger a written post-mortem to the client within 10 Business Days of resolution.

Do you have a Code of Conduct?

Yes. Our Code of Conduct covers ethics, anti-bribery (UK Bribery Act 2010 aligned), whistleblowing, and supplier standards.

What certifications do you hold?

Operational alignment with ISO/IEC 27001 control families and NIST Cybersecurity Framework is in place ahead of formal certification.

Do you support audit and inspection rights?

Yes. Under our DPA, clients may audit our compliance through:

(a) Reviewing our then-current certifications and security questionnaire responses;
(b) Requesting completion of the client's own security questionnaire;
(c) Independent third-party audits with reasonable notice (typically 30 days), conducted during business hours.

See DPA Section 11 for the full audit framework.

What is your pricing model?

We offer:

Each engagement starts with a free consultation and discovery phase. All pricing is exclusive of VAT.

How do you handle data when our engagement ends?

On termination, at your election, we either return all personal data in a structured, commonly-used machine-readable format, or securely delete all copies (and certify deletion in writing). Standard timeline is within 30 days of termination, save where retention is required by applicable law.

We also operate a Right of Migration for infrastructure: at any time on written request, we will transfer all hosting, database, and platform accounts to client-owned vendor accounts within 30 working days, free of charge as part of standard offboarding.

How do I get started?

Contact procurement@builtbygo.com or hello@builtbygo.com for a no-obligation conversation. We'll discuss your needs, share standard procurement documentation under NDA where applicable, and determine fit before any commitment.

Document last reviewed: 3 May 2026. We update this FAQ as procurement requirements evolve.