Woodrow Mercer Associates

The Compliance Space (GDPR Tooling)

The Compliance Space is a web based application that offers a digitally aligned GDPR framework developed by experienced data protection consultants. The tooling has been designed to be practical and user friendly whilst meeting all the requirements that ensure your organisation can meet the demands of the new legislation.


  • Data Process mapping
  • 3rd Party Processor alignment & contracts management
  • Risk Management
  • Legitimate Interest Assessment (LIA) tool
  • Data Privacy Impact Assessment (DPIA) tool
  • Data Subject Access Request (DSAR) management
  • Breach management & ICO reporting tool
  • Access to a live support network of Data Protection Officers
  • Article 30 Reporting
  • File Storage for contracts and policy management


  • Easy and intuitive to use
  • Access to real life Data Protection Officers
  • One licence agreement giving access to all features
  • Built by real life Data Protection offices
  • 24 hour Breach Support including ICO report generation
  • DSAR intelligence cutting down operational time dealing with requests
  • GDPR Alignment indicators to help track progress
  • Risk management to help minimise impact
  • Article 30 reporting at the push of a button
  • Unlimited user licences


£250 to £2000 per licence per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

4 5 3 3 6 9 7 9 2 4 6 5 0 5 7


Woodrow Mercer Associates

Matt Drinkwater

0121 265 4445


Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
The Compliance Space is built across multiple zones on Amazon Web Services to deliver a robust hosting provision. As such, The Compliance Space offers a Service Level expectation that is based on this hosting platform, the way we use it and the time we monitor the platform. The Service Level is calculated over a 24-hour period, during this period 4 hours will be used for scheduled maintenance, this will between 22:00 and 02:00 daily.

The uptime Service Level target works out to be 99.17% daily
System requirements
  • Up to date internet browser
  • Internet connectivity

User support

Email or online ticketing support
Email or online ticketing
Support response times
Best endeavours for platform support questions
24 hour response for data breach incident for subscribers of this service
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Support breaks down as follows:

Platform support - email only via the site - best endeavours - included
GDPR advice and guidance support - 9-5 weekdays best endeavours - £TBC
GDPR data breach support -24x7 24 hour response SLA - £TBC
Consulting support - onsite and remote as a scoped engagement
Support available to third parties

Onboarding and offboarding

Getting started
An organisation will be set up by The Compliance Space team. When users are added they will receive an email inviting them to register themselves onto the platform. Instructional videos and support is offered via the website. Training & consulting is available at an additional cost.
Service documentation
End-of-contract data extraction
When the contract has expired if the users decide they want to leave the platform all information is downloadable into zip folders and CSV excel files.
End-of-contract process
Contracts are 12 months at which point the organisation can renew the contract or leave the service. Organisations will be automatically informed 2 months prior to the end date

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
Customisation available


Independence of resources
The service is designed to scale elastically so any resource load out of the ordinary is catered for


Service usage metrics
Metrics types
All areas of The Compliance Space registers are monitored for completion with visual prompts where data is missing. This also roles up into a percentage of completion for the areas of the tool
Reporting types
Real-time dashboards


Supplier type
Reseller (no extras)
Organisation whose services are being resold
The Compliance Space Ltd

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Primary users can download all information from the application at the single push of a button. All exports are in Zipped Folders and CSV forms.
Data export formats
Data import formats
Other data import formats
No uploads are available

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The up time Service Level target works out to be 99.17% daily, this is worked out as follows:

Monitored time period = 20 hours = 72,000 seconds

Total down time =10 minutes = 600 seconds.

Sum is 600/72,000, which is 0.0083 = 0.83% of downtime allowed.

Means the Service Level is 100%-0.83% = 99.17%
Approach to resilience
Each component is set to auto scale under load and all data is replicated via near real time replication to a secondary data centre. In the event of data centre failure the service would be deployed in another region via automated deployment method
Outage reporting
A mixture of AWS monitors and alerts for threshold breaches and outages are fed into the support team. A manual service outage page is then displayed in the event of service disruption

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access to the management interfaces is confined to specific users and specific end points. The access is managed by strong username and possword
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
No audit information available
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We use ISO 27001 as a basis for our InfoSec processes
Information security policies and processes
We use ISO 27001 aligned security policies and processes

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change management is aligned to ISO 27001 best practices. This includes a full Risk Treatment Methodology for anything new being introduced.

The development methodology utilises a series of cascading development environments for code promotion. Code is change tracked ad released through a GitLab repository, elastic beanstalk and Secure Development Policy
Vulnerability management type
Vulnerability management approach
Threats are assessed against an Impact and Probability risk matrix. High net score results in a mitigation requirement.

All security patches with a criticality of high are deployed to infrastructure immediately following a test cycle in Staging.

Threat alerts are received from the vendors of the services we build The Compliance Space on
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Compromises can be identified via client reports, logging alerts, automated testing routines

Response is inline with our data breach response plan, which first assesses the severity of the breach, mobilises the appropriate team (including support and communications), remedies the source of the breach and then reviews the breach for any lessons learnt and future enhancements

Incidents are responded to immediately after becoming aware
Incident management type
Supplier-defined controls
Incident management approach
Inline with ISO 27001

Each event is dealt with as it occurs using the Incident Response Process

Users interact with the support team via the online feedback messaging on the site

Incident reports are manually created and sent to the client primary user on occurrence

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£250 to £2000 per licence per month
Discount for educational organisations
Free trial available
Description of free trial
1 week access to the tool. All features and benefits included

Service documents

Return to top ↑