Built for the standards
your organisation demands.

The hosting platform holds a current SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.

Manus Trust Centre — trust.manus.im

The platform is certified against ISO 27001:2022, the international standard for information security management systems.

Manus Trust Centre — trust.manus.im

ISO 27701 extends ISO 27001 with privacy information management requirements, demonstrating commitment to GDPR-aligned data handling.

Manus Trust Centre — trust.manus.im

Data processing agreements (DPAs) are available for enterprise customers. Standard Contractual Clauses (SCCs) are in place for international data transfers. EU data residency options are under review.

DPAs available on request — contact ERI

Infrastructure is distributed across Amazon Web Services, Google Cloud Platform, and Microsoft Azure, providing geographic and provider redundancy with built-in DDoS protection at the network layer.

AWS, GCP, and Azure — Manus infrastructure overview

The Manus platform commits to a 99.9% monthly uptime SLA for production services. Planned maintenance windows are communicated in advance.

Manus Trust Centre — availability

All infrastructure is monitored continuously for anomalous activity, with automated alerting and incident response procedures in place.

Manus Trust Centre — monitoring

Current AI sub-processors (Anthropic, Google Cloud, Microsoft Azure AI, AWS) are US-based. EU data residency options and SCCs for GDPR compliance are under active review.

Planned — in discussion with Manus platform team

All communication between users and the platform is encrypted using HTTPS with TLS 1.2 or higher. Modern cipher suites are enforced; self-signed certificates are not used in production.

All data stored in the database — including client portfolio data, assessment results, roadmap plans, and workspace configurations — is encrypted at rest using AES-256.

Managed by the Manus platform

Uploaded files (Excel, CSV, JSON, images) are validated for type and size before processing. Files are stored in S3-compatible object storage — not in the database — and are accessible only to authorised workspace members.

Data submitted to the PSM application is not used to train any AI model. AI processing is performed on-demand and results are stored only within the customer's workspace. No data is shared across workspaces.

Users authenticate via Manus OAuth, an OIDC-based identity provider. No passwords are stored by the PSM application. CSRF protections are in place on all authentication flows.

Application-level TOTP authenticator app MFA is implemented and mandatory for all ERI staff accounts. Workspace owners can enforce MFA for all members of their workspace. MFA secrets are encrypted at rest using AES-256-GCM.

Implemented March 2026

Access within each workspace is governed by role-based permissions. Workspace owners control member access, and all permission changes are logged in the audit trail.

Direct Azure AD federation is not currently supported. Enterprise users authenticate via Manus OAuth. Azure AD federation is on the roadmap for enterprise customers requiring corporate SSO.

Roadmap — dependent on Manus platform support

Every data record — client portfolios, project data, roadmaps, assessments, and configurations — carries a workspace identifier that is set at creation and enforced on every database query. This is the industry-standard multi-tenancy model used by Salesforce, Microsoft 365, and Google Workspace.

Workspace boundaries are enforced at the API layer on every request. It is not possible for a client-side manipulation to access data from another workspace. All data access is validated against the authenticated user's workspace membership.

All significant actions within a workspace — including data access, member changes, and configuration updates — are recorded in a tamper-evident audit log accessible to workspace owners.

All workspaces currently share the same underlying database infrastructure with strict logical isolation. Physical database separation per customer is on the roadmap as part of a planned migration to a dedicated high-security hosting environment.

Roadmap — planned for enterprise tier

Security researchers and customers can report vulnerabilities directly to the ERI team. All reports are acknowledged within 48 hours and triaged within 5 business days.

Contact: [email protected]

A documented incident response process is in place, covering detection, containment, eradication, recovery, and post-incident review. Affected customers are notified within 72 hours of a confirmed breach, in line with GDPR Article 33 requirements.

The PSM application undergoes periodic penetration testing. Results are reviewed by the ERI engineering team and remediation plans are documented. Reports are available to enterprise customers under NDA.

Available under NDA — contact ERI

Automated dependency scanning is in place. Critical vulnerabilities in dependencies are patched within 7 days of disclosure. Security advisories are monitored continuously.