You trust us with your data. That's not a small thing.

When we build synthetic audiences from survey data, security isn't a feature we bolt on later, but the foundation for our engineering practice. We've known this from the beginning. But "we take security seriously" is what everyone says, so we went and got the receipts - Electric Twin is now ISO 27001:2022 certified 🚀

What this actually means

ISO 27001 is the international gold standard for Information Security Management Systems (ISMS), an ongoing framework covering how you handle data, manage risk, and respond to incidents.

Our certification scope covers:

• Our prediction platform and customer-facing products

• Our infrastructure across Google Cloud, AWS, Azure, and Vercel

• Our Software Engineering, AI Engineering, and Operations teams

Moving fast on security

There is a persistent myth in tech that startups must choose between velocity and security. Ship fast now, patch the holes later. We think that's nonsense.

We build scalable and efficient software powered by the latest AI tools, with deep science-based evaluation baked into everything we do. Security, compliance, and privacy aren't afterthoughts we'll get to "when we're bigger." They're designed in from the start and woven into every engineering decision.

Our approach follows DevSecOps principles, where security is integrated into the development lifecycle rather than being added at the end. We maintain Secure Engineering Principles and Engineering Policies that every engineer actually reads (I know, radical 😉). Our code adheres to OWASP Top 10 guidance, and we follow SOLID design principles, because well-architected software with clear boundaries and single responsibilities is inherently more secure software.

The stack that keeps your data safe

Here's what it looks like in practice:

• Vanta manages our compliance evidence and continuous monitoring, and it's how we keep our ISMS up-to-date.

• Aikido and GitHub Advanced Security run automated security scanning on every commit.

• Google Cloud Artifact Registry scans our container images for vulnerabilities.

• Cloud Armour provides network-level protection and DDoS mitigation.

• NordLayer VPN secures remote access for the team.

The audit

Getting certified wasn’t a weekend project. It involved running disaster recovery exercises, inviting external security experts to simulate cyberattacks on our platforms, and having external auditors test our controls until they're satisfied that our policies reflect day-to-day practices.

We kicked off our internal audit on 19 September 2025, and by 19 November 2025, we had our certificate from Prescient Security. Two months from audit to certified, while continuing to improve our product and serve our clients.

The result: certification with zero major non-conformities. Our auditors noted the maturity of our controls relative to our company's size. We'll take it 😎

What this means for you

If you're evaluating Electric Twin - or already working with us - this certification gives you independent, third-party validation that we handle data the way we say we do.

You can view our certificate, security documentation, and compliance reports on our Trust Centre.

Onwards

ISO 27001 certification isn't an endpoint. It's a commitment to continuous improvement, annual surveillance audits, and keeping security front-of-mind as we scale. We're now undertaking certification for Cyber Essentials Plus and SOC 2.

We build software that predicts human behaviour. The least we can do is behave predictably ourselves, especially when it comes to protecting your data.

We're off to celebrate with some llama-shaped chocolates 🦙