Woodrow Mercer Associates

The Compliance Space (GDPR Tooling)

The Compliance Space is a web based application that offers a digitally aligned GDPR framework developed by experienced data protection consultants. The tooling has been designed to be practical and user friendly whilst meeting all the requirements that ensure your organisation can meet the demands of the new legislation.


  • Data Process mapping
  • 3rd Party Processor alignment & contracts management
  • Risk Management
  • Legitimate Interest Assessment (LIA) tool
  • Data Privacy Impact Assessment (DPIA) tool
  • Data Subject Access Request (DSAR) management
  • Breach management & ICO reporting tool
  • Access to a live support network of Data Protection Officers
  • Article 30 Reporting
  • File Storage for contracts and policy management


  • Easy and intuitive to use
  • Access to real life Data Protection Officers
  • One licence agreement giving access to all features
  • Built by real life Data Protection offices
  • 24 hour Breach Support including ICO report generation
  • DSAR intelligence cutting down operational time dealing with requests
  • GDPR Alignment indicators to help track progress
  • Risk management to help minimise impact
  • Article 30 reporting at the push of a button
  • Unlimited user licences


£250 to £2000 per licence per month

  • Free trial available

Service documents

G-Cloud 11


Woodrow Mercer Associates

Matt Drinkwater

0121 265 4445


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The Compliance Space is built across multiple zones on Amazon Web Services to deliver a robust hosting provision. As such, The Compliance Space offers a Service Level expectation that is based on this hosting platform, the way we use it and the time we monitor the platform. The Service Level is calculated over a 24-hour period, during this period 4 hours will be used for scheduled maintenance, this will between 22:00 and 02:00 daily.

The uptime Service Level target works out to be 99.17% daily
System requirements
  • Up to date internet browser
  • Internet connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Best endeavours for platform support questions
24 hour response for data breach incident for subscribers of this service
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Support breaks down as follows:

Platform support - email only via the site - best endeavours - included
GDPR advice and guidance support - 9-5 weekdays best endeavours - £TBC
GDPR data breach support -24x7 24 hour response SLA - £TBC
Consulting support - onsite and remote as a scoped engagement
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started An organisation will be set up by The Compliance Space team. When users are added they will receive an email inviting them to register themselves onto the platform. Instructional videos and support is offered via the website. Training & consulting is available at an additional cost.
Service documentation No
End-of-contract data extraction When the contract has expired if the users decide they want to leave the platform all information is downloadable into zip folders and CSV excel files.
End-of-contract process Contracts are 12 months at which point the organisation can renew the contract or leave the service. Organisations will be automatically informed 2 months prior to the end date

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service N/A
Service interface No
Customisation available No


Independence of resources The service is designed to scale elastically so any resource load out of the ordinary is catered for


Service usage metrics Yes
Metrics types All areas of The Compliance Space registers are monitored for completion with visual prompts where data is missing. This also roles up into a percentage of completion for the areas of the tool
Reporting types Real-time dashboards


Supplier type Reseller (no extras)
Organisation whose services are being resold The Compliance Space Ltd

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Primary users can download all information from the application at the single push of a button. All exports are in Zipped Folders and CSV forms.
Data export formats CSV
Data import formats Other
Other data import formats No uploads are available

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The up time Service Level target works out to be 99.17% daily, this is worked out as follows:

Monitored time period = 20 hours = 72,000 seconds

Total down time =10 minutes = 600 seconds.

Sum is 600/72,000, which is 0.0083 = 0.83% of downtime allowed.

Means the Service Level is 100%-0.83% = 99.17%
Approach to resilience Each component is set to auto scale under load and all data is replicated via near real time replication to a secondary data centre. In the event of data centre failure the service would be deployed in another region via automated deployment method
Outage reporting A mixture of AWS monitors and alerts for threshold breaches and outages are fed into the support team. A manual service outage page is then displayed in the event of service disruption

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access to the management interfaces is confined to specific users and specific end points. The access is managed by strong username and possword
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We use ISO 27001 as a basis for our InfoSec processes
Information security policies and processes We use ISO 27001 aligned security policies and processes

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change management is aligned to ISO 27001 best practices. This includes a full Risk Treatment Methodology for anything new being introduced.

The development methodology utilises a series of cascading development environments for code promotion. Code is change tracked ad released through a GitLab repository, elastic beanstalk and Secure Development Policy
Vulnerability management type Undisclosed
Vulnerability management approach Threats are assessed against an Impact and Probability risk matrix. High net score results in a mitigation requirement.

All security patches with a criticality of high are deployed to infrastructure immediately following a test cycle in Staging.

Threat alerts are received from the vendors of the services we build The Compliance Space on
Protective monitoring type Supplier-defined controls
Protective monitoring approach Compromises can be identified via client reports, logging alerts, automated testing routines

Response is inline with our data breach response plan, which first assesses the severity of the breach, mobilises the appropriate team (including support and communications), remedies the source of the breach and then reviews the breach for any lessons learnt and future enhancements

Incidents are responded to immediately after becoming aware
Incident management type Supplier-defined controls
Incident management approach Inline with ISO 27001

Each event is dealt with as it occurs using the Incident Response Process

Users interact with the support team via the online feedback messaging on the site

Incident reports are manually created and sent to the client primary user on occurrence

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £250 to £2000 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial 1 week access to the tool. All features and benefits included

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑