Security & privacy, certified
Tag Insight audits your tracking, so we hold ourselves to a higher bar on data protection. Our information security management system is ISO/IEC 27001:2022 certified and independently audited every year.

ISO/IEC 27001:2022 certified
- Standard
- ISO/IEC 27001:2022
- Certificate n°
- CT-ISMS-022026-0CU02322
- Certification body
- Certi-Trust France (COFRAC accredited, n° 4-0612)
- Valid
- Feb 23, 2026 - Feb 22, 2029, with annual surveillance audits
- Scope
- The information security management system covering the design, development and operation of the Tag Insight SaaS platform.
Verify authenticity anytime with the certification body at certification@certi-trust.com.
The safeguards behind your data
The controls below are part of the certified management system and apply to every scan, audit and tagging plan on the platform.
Encryption in transit and at rest
All traffic between your browser, our crawlers and our APIs is encrypted with TLS 1.2+. Scan results, tagging plans and account data are encrypted at rest with AES-256.
EU data hosting
The platform and its databases run on European cloud infrastructure. Your tracking data is stored and processed inside the EU and never leaves it for operations.
Access control & MFA
Access to production follows least privilege: role-based permissions, multi-factor authentication for every employee account, and access reviews on a fixed schedule.
Backups & continuity
Data is backed up automatically with point-in-time recovery, and restore procedures are tested regularly as part of our business-continuity plan.
Monitoring & logging
Infrastructure and application events are centrally logged and monitored, with alerts on anomalous access patterns and security-relevant changes.
Incident response
A documented incident-response process defines detection, containment, communication and post-mortem steps, including notification obligations under GDPR.
GDPR & DPA
Tag Insight acts as a processor for the data you scan. A Data Processing Agreement is part of every contract, and data-subject requests are honoured end to end.
Subprocessors & data minimisation
We collect only what the audits need, keep it no longer than necessary, and hold every subprocessor to the same contractual security commitments.
Questions about security?
Need our DPA, the subprocessor list, or answers for a vendor security review? We are happy to help.
Contact us