Security & compliance
Security & compliance.
Everything your IT team, CISO, and procurement process needs to know about how Goalite handles data, security, and compliance. We write this page for technical readers — not for sales purposes.
Goalite is hosted on Microsoft Azure across UK South and West Europe regions, with GDPR compliance, ISO 27001 compliance roadmap, and Azure AD / Entra ID SSO supported out of the box.
Infrastructure
Built on Microsoft Azure.
| Item | Detail |
|---|---|
| Hosting provider | Microsoft Azure |
| Regions | UK South (primary) | West Europe (secondary / DR) |
| Data residency | UK and EU — data does not leave these regions by default |
| Architecture | Cloud-native, containerised, auto-scaling |
| Uptime target | 99.9% SLA (documented in enterprise agreements) |
| Monitoring | Azure Monitor, Application Insights, alerting configured |
| Backup | Automated daily backups, 30-day retention, point-in-time recovery |
| Incident response | Documented process, customer notification within 24 hours of confirmed breach |
Authentication & access
Identity managed through Microsoft.
| Item | Detail |
|---|---|
| SSO | Azure Active Directory / Entra ID |
| Protocols | SAML 2.0, OIDC |
| MFA | Supported via Azure AD — configure in your existing Entra policies |
| User provisioning | Manual (admin portal) and SCIM (planned Q4 2026) |
| Session management | Configurable timeout, forced re-authentication on sensitive actions |
| Admin roles | Organisation admin, manager, individual contributor — role-based access control |
Data
What data Goalite holds and how it is handled.
| Category | What it includes | Retention |
|---|---|---|
| Account data | Name, email, organisation | Duration of account + 30 days |
| Goal data | Goals, milestones, habits, progress | Duration of account + 30 days |
| Usage data | Login times, feature usage (anonymised) | 90 days rolling |
| AI interaction data | Goal inputs used for plan generation | Not retained after plan generation |
| Audit logs | Admin actions, access logs | 12 months |
Data deletion
All user and organisation data deleted within 30 days of account closure or on written request per GDPR Article 17.
Data portability
Export available in JSON and CSV format on request.
Third-party sharing
Data is not sold or shared with third parties for advertising or commercial purposes. Sub-processors listed below.
Sub-processors
Microsoft Azure (hosting), AI provider (AI plan generation), transactional email provider. Full sub-processor list available on request.
Compliance
Regulatory and certification status.
GDPR
Goalite Limited is a UK-incorporated company (Company No. 14605529) subject to UK GDPR and the UK Data Protection Act 2018. A Data Processing Agreement (DPA) is available for enterprise customers on request.
GDPR detailsISO 27001
Goalite’s ISO 27001 information security management system compliance programme is underway. We are targeting certification in 2026. Documentation on our current security controls is available for enterprise procurement teams under NDA.
ISO 27001 roadmapPenetration testing
Annual penetration testing is planned as part of the ISO 27001 programme. Results summary available for enterprise customers under NDA.
UK Cyber Essentials
Planned for completion alongside ISO 27001 programme.
Privacy
Privacy by design.
Goalite does not use advertising trackers. We do not monetise user data through third-party data sharing. Goalite is registered with the Information Commissioner’s Office (ICO). For full details on how we handle personal data, see our privacy policy.
Privacy policySecurity enquiries.
For security-related questions, vulnerability disclosure, or enterprise procurement security reviews, contact: hi@goalite.com
For procurement documentation requests (DPA, sub-processor list, security questionnaire responses), contact: hi@goalite.com with [SECURITY] in the subject line.
FAQ