Trust at BuiltByGo

Last reviewed: 3 May 2026

A single point of reference for procurement, legal, and risk teams evaluating BuiltByGo Ltd. Everything in one place — no hunting through legal pages.

If you can't find what you're looking for here, contact legal@builtbygo.com or procurement@builtbygo.com.

At a glance

Trust documentation

Security and operations

• Security & Trust — information security framework, infrastructure controls, encryption, access management, backup and DR, incident response
• Sub-processors register — every third-party service that may process client data, with regions and transfer mechanisms
• AI Usage Policy — operational rules for AI tooling, named tools, anonymisation policy, conditional sub-processor framing
• Vulnerability Disclosure Policy — how to report security issues, response timelines, safe harbour terms
• /.well-known/security.txt — RFC 9116 machine-readable disclosure point

Privacy and data protection

• Privacy Policy — how we handle personal data on this website and in pre-engagement enquiries (UK GDPR compliant)
• Data Processing Agreement (DPA) — Article 28 compliant DPA for client engagements; covers UK GDPR, EU GDPR, Brazilian LGPD, Mexican LFPDPPP
• Cookie Policy — our cookie usage and your choices

Governance and ethics

• Code of Conduct — ethics, anti-bribery, whistleblowing, supplier expectations, DEI
• Modern Slavery Statement — voluntary statement (below the £36m threshold) covering business and supply chain
• Accessibility Statement — WCAG 2.2 AA conformance commitment
• Terms of Service — website use terms

Procurement enablement

• Procurement FAQ — answers to the questions procurement teams typically ask, in advance

Frameworks and standards

Currently aligned

• ISO/IEC 27001 control families
• NIST Cybersecurity Framework (CSF)
• UK GDPR and DPA 2018
• WCAG 2.2 Level AA (web accessibility)
• PECR (Privacy and Electronic Communications Regulations)
• UK Bribery Act 2010
• Modern Slavery Act 2015 (voluntary statement)
• Equality Act 2010

Currently being pursued

• Cyber Essentials Plus — accreditation in active pursuit, target completion through 2026

On the roadmap

• ISO/IEC 27001 — formal certification, 2026–2027

Sub-processors

Our sub-processor register is published in full at builtbygo.com/subprocessors.

Active sub-processors: Cloudflare · Railway · Supabase · Sanity · Resend · PostHog · Sentry · Better Uptime · DeepL (conditional)

Conditional AI sub-processors (governed by AI Usage Policy): Anthropic (Claude under Commercial Terms with DPA in place) · DeepSeek

We notify clients 30 days before adding any new sub-processor, with a 14-day objection window.

Insurance

Certificates available on execution of NDA or MSA.

Contact legal@builtbygo.com to request certificates.

Standard contracts

The following contractual templates are maintained for institutional engagements and available to clients:

Templates available on request via legal@builtbygo.com.

Security questionnaires

We complete standard security questionnaires for institutional procurement, including:

• CAIQ (Consensus Assessments Initiative Questionnaire)
• SIG / SIG Lite (Standardized Information Gathering)
• ISO 27001-aligned custom client questionnaires
• Client-specific procurement forms

Typical turnaround: 5–10 working days. Most standard items are pre-answered through our published Security & Trust, DPA, and Sub-processors register.

Audit and inspection

Under our DPA, clients may audit our compliance through:

1. Documentation review — certifications, security questionnaire responses, sub-processor register
2. Standard questionnaires — CAIQ, SIG, or client custom forms
3. Independent third-party audit — with 30 days' notice, during business hours, by mutually agreed auditor

See DPA Section 11 for the full audit framework.

Incident response

Contact directory

For institutional clients: please use the dedicated channel where possible — it routes to the right person faster.

Document history