Security Review Pack
For security, legal, and procurement teams evaluating Abraham of London for enterprise or regulated-industry deployment. We document exactly what is available and what is not.
Legal identity
Abraham of London is operated by Alomarada Ltd, a UK registered company. Company no. 11549053.
Verify on Companies HouseSecurity assurance status
Current
- Provider posture disclosed
- Cloudflare DNS boundary stated
- Sub-processors named
- Data handling stated
- Provenance boundary stated
Not yet completed
- SOC 2
- ISO 27001
- Independent penetration test
Current infrastructure routing
Cloudflare is authoritative DNS for abrahamoflondon.org. Namecheap remains the registrar, and Netlify remains the production application host/origin. Cloudflare proxying, WAF/rate-limiting, Zero Trust, DLP, mTLS, and expanded edge controls are not represented as universally active unless explicitly configured for the relevant hostname or workflow.
Controlled request process
Security assurance materials are shared through a controlled request process. Public summaries are available immediately; detailed materials may require review, qualification, or NDA depending on sensitivity.
SOC 2, ISO 27001 certification, and independent penetration testing are not yet complete and are not represented as completed.
Administrative access and internal review
Administrative access is limited to authorised operator/admin roles and is used for support, review, delivery, and security operations. Access to restricted assurance materials and operational records is controlled through admin review workflows. Certain provenance and admin operations are logged for review.
MFA / SSO: Current authentication is handled through the platform's configured authentication provider and supported sign-in methods. Enterprise SSO and enforced organisation-level MFA are not yet represented as generally available. Availability can be reviewed for qualified enterprise deployments.
Detailed internal access procedures can be discussed during procurement or security review.
Enterprise operating caveats
Data residency and transfers: Default infrastructure may involve UK/EU/US provider regions depending on the service used. Region-specific deployment, data residency commitments, transfer terms, DPA, and sub-processor review must be agreed as part of enterprise procurement or contract review. The platform does not currently represent a blanket residency guarantee for all accounts.
Analytics and telemetry: Product analytics may be used to understand usage, reliability, and product improvement. Analytics should not be used to sell personal data or for ad-tech sharing. Specific telemetry fields, analytics configuration, and account-level restrictions can be reviewed through the security assurance process.
Backups and restore: The platform uses provider/database backup mechanisms appropriate to the current deployment. Formal enterprise RTO/RPO commitments are not yet represented as generally available and should be agreed during enterprise procurement. Restore-testing posture and available evidence can be discussed through the security assurance request process.
Status and incident visibility: A public status page is not yet published. Internal/system health checks exist, but they should not be read as a public status history or uptime SLA. For current pilots, incident communication expectations should be agreed within the engagement scope.
Available materials
Security Assurance Readiness Overview
Current assurance posture: hosting provider, auth model, secrets management, rate limiting, and the honest status of independent certifications (SOC 2, ISO 27001, pen-test).
Vendor Security Questionnaire
Structured responses to standard vendor security questions covering infrastructure, data handling, access controls, incident response, and sub-processor dependencies.
Pilot Data Boundary Policy
Guidance on what information is appropriate for pilot use: what should be sanitised, what categories should be excluded during initial evaluation, and the rationale.
Incident Response Summary
Detection, containment, assessment, notification decision tree, remediation posture, and post-incident review process.
Sub-Processor Register
Current named sub-processors with purpose, data category handled, and data region. Updated when sub-processors change.
Independent Penetration Test Readiness
Current status of external penetration testing engagement: scope, provider selection status, and expected timeline. Not yet completed — no test report exists.
Procurement Security Review Call
A structured call with the operator covering architecture, data flows, threat model assumptions, and security roadmap. For security teams at the active procurement stage.
Enterprise Assurance RFI Answer Pack
Structured honest answers to all standard enterprise vendor-risk questionnaire categories: legal entity, security assurance status, access control, data residency, privacy, sub-processors, operational resilience, provenance, insurance status, and roadmap. Some answers direct to contract or procurement review.
Honest posture
We are a growth-stage product. SOC 2, ISO 27001, and an independent penetration test are planned — not yet completed. If your procurement process requires these before evaluation, we recommend beginning the design partner programme while these are in progress. We will not claim certifications we do not hold.
Enterprise readiness boundary
The platform is suitable for bounded pilots and structured assurance review. It is not yet represented as SOC 2 certified, ISO 27001 certified, independently penetration-tested, or externally audited. High-sensitivity, regulated, or mission-critical deployments should proceed through security review, DPA / sub-processor review, and agreed operational controls before production use.
Request security assurance pack
Serious prospects may request the controlled pack for procurement review. It covers legal identity, infrastructure and provider posture, named sub-processors, pilot data-boundary guidance, incident-response posture, and the current independent-assurance status.
Not yet complete: SOC 2, ISO 27001 organisational certification, and independent external penetration testing.
Request security assurance packEnterprise Assurance RFI Pack
Structured answers for procurement, vendor-risk, legal, security, and operator review.
Covers all standard questionnaire categories: legal entity, security assurance status, access control, data residency, privacy, sub-processors, operational resilience, provenance, insurance status, and roadmap commitments. Honest status on every item. Some answers direct to contract review.