Security posture for public-sector procurement: a field guide for FlyttGo buyers

Public-sector procurement teams are used to receiving 200-page vendor questionnaires that say everything and prove nothing. We have found three pieces of documentation consistently move the process forward.

1. A current SOC 2 Type II report

Shared under NDA. Procurement teams read the scope, the auditor’s opinion, and the management response to findings — in that order. We share the full report rather than a summary because the summary never answers the follow-up questions.

2. An architecture diagram with the boundary drawn

Where tenants live, where keys live, where logs live, and where the audit boundary ends. For sovereign deployments we supplement this with a national-datacenter network topology review.

3. Pen-test executive summaries

Dated within the last 12 months. We share the external-perimeter report and the application-logic report. Raw findings are available on request for customers with internal security teams.

Regional frameworks we support

• EU: GDPR, eIDAS, PSD2 (Payvera), PCI-DSS (Payvera, FlyttGo).
• UK: PSN, Cyber Essentials Plus.
• Gulf: Saudi NCA ECC, UAE IA.
• Africa: POPIA (ZA), Kenya Data Protection Act.

If a framework you require is not listed, it is almost certainly supported — but we need the specific jurisdictional scope to scope the deployment. The enterprise team answers jurisdiction questions within one business day.