Most VoC platforms are not ISO 27001 certified. For regulated enterprises in banking, insurance, utilities, and telco — where customer feedback contains personal data, sensitive complaint details, and commercially privileged information — this is a procurement blocker.
Ipiphany AI is ISO 27001 certified and GDPR aligned, with a no-training-on-customer-data policy and an on-premises deployment option. It is the only ISO 27001-certified text intelligence platform available from US $83/month.
If your information security team, DPO, or procurement function has raised ISO 27001 as a requirement for a VoC platform evaluation, this article explains what the standard covers, where most mid-market tools fall short, and what to look for in any platform you are assessing.
In a regulated industry, a verbatim dataset from a complaints survey or NPS programme can contain full names, account references, descriptions of financial hardship, health conditions, and commercially sensitive service failures. This data falls directly under GDPR Article 9 special categories. The platform that analyses it touches it — it processes, stores, and in some cases trains models on it.
For a regulated enterprise, the question is not just "does the platform work?" It is "can we prove to our information security team, our DPO, and our regulator that this platform handles the data appropriately?"
ISO 27001 is the international standard for Information Security Management Systems. Certification means an independent auditor has verified that the platform provider's controls, processes, and policies meet the standard's requirements. It is not a guarantee of zero incidents. It is a verifiable, auditable baseline that satisfies the due diligence requirement most regulated enterprises apply to third-party data processors.
Enterprise-tier platforms — Qualtrics, Medallia, Verint — hold some form of security certification. But their entry price is measured in hundreds of thousands of dollars per year. For mid-market banks, regional utilities, and specialist insurers, these platforms are out of scope.
Below enterprise pricing, most mid-market feedback analytics tools fall short in several ways:
For procurement teams in regulated industries evaluating any VoC or text analytics platform, these are the questions that matter and what each answer should tell you.
← Scroll to view →
| Security criterion | What to look for | Why it matters |
|---|---|---|
| ISO 27001 certification | Current certificate, issuing body, scope statement | Third-party verification of ISMS controls |
| SOC 2 Type II report | Type II (12-month audit period), not just Type I | Continuous operational controls, not a point-in-time snapshot |
| GDPR alignment | DPA template, data flows documentation, lawful basis | Required for processing EU personal data |
| Data training policy | Written policy confirming no training on client data | Prevents proprietary intelligence training shared models |
| Data residency options | EU-region hosting, on-premises, sovereignty commitments | Required for national data localisation requirements |
| Subprocessor list | Full list of third-party subprocessors and certifications | Assesses chain-of-custody for your data |
| Incident notification SLA | Breach notification within 72 hours (GDPR minimum) | Confirms contractual obligations around breach response |
| Access controls | Role-based access, MFA, audit logging | Limits exposure of verbatim customer data internally |
| Penetration testing | Third-party pen test within last 12 months | Evidence of active security assurance, not just policy |
| Data deletion | Defined retention periods, verifiable deletion on request | Required under GDPR Article 17 (right to erasure) |
FCA Consumer Duty requires firms to evidence consumer outcomes from VoC data. The Bank of England's SS2/21 also requires documented risk assessments of third-party data processors. Complaints root cause analysis may include Category 9 data — ISO 27001 and a robust DPA are the minimum baseline.
Claims verbatims and policyholder complaints frequently contain medical and financial personal data. GDPR Article 9 applies directly. EU-region data residency is increasingly required by DPOs assessing VoC platforms for re-procurement.
OFWAT and OFGEM regulated firms face increasing pressure to demonstrate consumer outcomes monitoring. Verbatim data from service failure complaints may contain vulnerability and financial difficulty signals requiring elevated data handling controls.
Communications data is regulated under ePrivacy rules in the EU in addition to GDPR. Contact centre transcripts and survey verbatims are particularly sensitive. Multi-jurisdiction operators need a platform that can handle varied data residency requirements.
A mid-market bank wants to analyse 18 months of NPS verbatims — approximately 40,000 open-ended responses — to understand the root cause of a satisfaction decline in digital banking. Some comments reference specific financial circumstances. Many contain first names and partial account references.
Before analysis begins, the information security team asks three questions:
With Ipiphany AI, the answers are:
The analysis begins. Within approximately 10 minutes of upload, the team has a structured view of root causes traced back to exact verbatims, segmented by customer type and time period. The output is defensible in a governance meeting because every claim can be verified against a source comment.
The same analysis, on a platform without ISO 27001 certification, would not pass the security gateway — regardless of how good the analytics output is. The security gap comes before the product conversation begins.
If ISO 27001, GDPR alignment, or data residency have been raised as requirements, the fastest path forward is a conversation with the Ipiphany team. We will walk through the security documentation alongside the product.
