True Compliance

True Compliance

True Compliance is a cloud based compliance management system which uses new technologies such as document reading and AI to help Councils and RSLs manage their Health and Safety compliance and keep their customers safe.


  • PDF Reading technology
  • Designed to be Bespoke
  • Public APIs to interface data
  • Transparency with internal and external stakeholders login
  • Mobile Ready
  • Real time dashboard with bespoke widgets
  • Checking documents against rules created by customer
  • Simple and robust action tracking with dual sign off
  • Reports Centre which allows for instant reports and filtering
  • Specialised system for Compliance rather than add-on


  • Manage actions on site
  • Reduces Administration time as system does the hard work
  • Intuitive system which requires minimum training
  • System designed to mould to your processes
  • Increased data accuracy as all information checked before loading
  • One centre place for all compliance data
  • Regain control from contractors with more accurate and detailed KPIs


£25000 to £100000 per licence per year

Service documents


G-Cloud 11

Service ID

5 8 1 1 8 7 1 0 5 2 4 8 4 0 2


True Compliance

Matt Rawlings

07545 399434

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The service has no constraints.
System requirements
  • Internet Explorer 11 or Edge
  • Chrome
  • Firefox
  • Safari

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Users will get a response within 24 of the request being made. On weekends a response will be received within 24 hours of Monday 09:00am
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Users are able to ask questions using the web chat which is available on our website and Helpdesk portal. Users are able to talk directly to an agent who can either resolve the issue or create a support ticket.
Web chat accessibility testing None.
Onsite support Onsite support
Support levels We provide all levels of support to users of the system. The first level of support can be answered by a client support rep or an engineer, the second level will always be answered by an engineer. The support you receive is included in the price of the system and bares no extra cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full on-site user and administrator training is included in the service costs. Users are given full support to set up the system specific to their needs. The initial data-load is quality checked and uploaded by True Compliance before being placed in a test environment for training and validation by the client. User documentation is provided via the True Compliance website.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Users have access to all their data via the reports centre and is able to download the information they want on demand.
End-of-contract process There are no end of contract charges, once the customer is happy they have all their data, we would close access to the platform and delete data from our systems.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No differences between the two.
Service interface No
What users can and can't do using the API Our Public API allows users to add certificates to our load queue, and fetch and search for certificate information.

We do not currently allow clients to create their own account, this is done in house via a request to the support desk. Clients can then send an authentication request to receive an access token.

Bespoke APIs can also be created by request via the support desk that allows movement of key data into corporate systems.
API documentation Yes
API documentation formats Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The 'Dashboard Widgets' can be customised to show whatever the user requires to be shown dependant on their needs. The 'Rule Set' that is used to test the data from the incoming documents can have custom rules added to allow for better management of contractors. The 'Property/Block View' page can be customised to show what the customer would like to see on that page (e.g. Housing office name, Appointment information, description of premises from an FRA, etc.) All 'Reports' are made specially for each customer. 'Process' can be altered to match the customer's preferred process. This can all be done by contacting your client rep or emailing support.


Independence of resources We utilise auto scaling technologies on AWS to automatically spin up extra resources based on demand.

We use load balancing technology to share the user load on our servers.

The application is designed as a series of micro servers removing load from the main application api.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The data is available via reports centre and can be downloaded on demand.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our SLA specifies the following uptime guarantees:

Live TC System and associated systems: 99.9%
Exports and Interfaces: 99.5%
Test TC system and associated systems: 99%

We offer a full pro rata refund for any downtime that breaches these guarantees.
Approach to resilience We use AWS to host our platform. They have first rate security policies surrounding the actual data centre.

All our servers are protected behind access keys, and within a Virtual Private Cloud. Database access is locked down to the specific application servers that need access.
Outage reporting Downtime is relayed to the development team via email alerts, who can then inform clients.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access is restricted via user roles. Certain roles have greater access and privileges within the application.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 15/04/2019
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover None
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards CSA CCM version 3.0
Information security policies and processes Security falls under the purview of the CTO. Policies are in place to ensure that this role is being undertaken.

The CTO must report on security processes and incidents at each board meeting.

Weekly external scans of the system are undertaken.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All application code is run through git version control.

We run tests on the codebase daily, and all changes and updates are tested locally and in a demo environment prior to release.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We run weekly vulnerability tests, using a third party service.

Reports are generated and reviewed by the CTO. Appropriate remedial action is taken. High risk issues are fixed where possible within 24 hours. Other issues are remedied within 5 working days.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We run weekly vulnerability tests, using a third party service. Reports are generated and reviewed by the CTO. Appropriate remedial action is taken. High risk issues are fixed where possible within 24 hours. Other issues are remedied within 5 working days.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents can be reported to TC via the helpdesk or by ringing your account manager.

We have a documented incident management plan, which kicks into action upon discovery of an incident.

Incident reports will be sent to all clients on request.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25000 to £100000 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑