Procurement bundle

Request the DPA + security bundle.

One ZIP, one UK business day, no sales call. Routed straight to legal. The bundle is the procurement-ready version of our security page — the same facts, in the form your team can actually sign.

DPA + SCCs
Standard Contractual Clauses for UK + EU + DPDP. Pre-signed, redline-friendly Word doc.
Sub-processor register
Every vendor that touches customer data, what they process, the legal basis and the region.
SIG-Lite
Filled in. Refreshed at the start of every quarter. Maps to the SIG full questionnaire on request.
Penetration test summary
Executive summary from our last independent annual test. Full report under NDA.
SOC 2 audit progress note
Where we are in the Type I audit window, what is in scope, target attestation date.
MSA redlines
The standard MSA + the variant we sign with regulated brands. Legal does not need to re-write from scratch.

What it is not

Not a sales-disqualifier. Plenty of customers request this on day one — we treat it as a standard step.
Not gated behind a discovery call. The form goes to the security inbox, not the sales pipeline.
Not a sub for the full SOC 2 Type II audit (in progress for 2026). When the attestation lands, the bundle is updated automatically.

Send it to

Your security or procurement team

We email the bundle directly. No public download link, no tracking pixel.

Already an Idukki customer? You can also pull the latest bundle from the workspace under Settings → Compliance.

Plain-English answers

How long until I get the bundle?
One UK business day. We send a single signed ZIP. No sales call required.
Will you sign our DPA instead of yours?
Usually yes. We have signed redlined customer DPAs over 200 times. Send the draft along with the request and we will return it inside three working days.
Where is the data stored?
AWS eu-west-1 (Dublin) by default. Customer data does not leave the EU/UK without an explicit contractual carve-out.
How long do you keep audit logs?
Standard retention is 90 days. Enterprise customers can request a one-year retention window — there is no extra charge, we just need it in the contract.
What is your breach notification window?
Confirmed personal-data breaches are disclosed within 72 hours, per the DPA. Status page incidents go live the moment we identify them.
Do you syndicate UGC or content for AI training?
No. Customer-uploaded UGC and rights-cleared content is never used for any model training — ours or third parties. Contractually committed in the DPA.