Medway Catchment
Apply for an account Launch app

Built to international best practice.

No vibe, no vaporware. Ecology App is operated according to the principles of ISO 9001 (quality), ISO 27001 (information security), ISO 42001 (AI management), and ISO 31000 (risk). Security controls assessed against OWASP ASVS Level 2.

The Ecology App is built by engineers with decades of experience in high-risk, highly-regulated and scrutinised sectors. We have brought that discipline to bear on the Ecology App. From day one we've been building the management and engineering processes that would support growing by orders of magnitude.

The standards we work to

The platform is operated in accordance with the principles of four ISO standards, with the supporting evidence base maintained as part of an integrated management system that covers all four together:

  • ISO 9001:2015 — Quality Management. Documented project lifecycle, change control, version-history discipline, post-incident review, customer feedback loop
  • ISO 27001:2022 — Information Security Management. Risk register, asset inventory, access control, incident response, supplier security, secure development lifecycle, cryptography policy, business continuity
  • ISO 42001:2023 — AI Management Systems. AI use-case register, model governance, transparency, human oversight, bias and harm assessment for AI features (LLM-narrated reports, satellite habitat classification)
  • ISO 31000:2018 — Risk Management. Integrated risk methodology spanning all four standards above

Ecology App is not yet certified to any of these standards. We do run the integrated management system — the procedures, management reviews, and internal audits — that certification would require. We'll pursue formal certification once revenue justifies the audit cost.

OWASP ASVS Level 2

The platform's security controls are assessed against the OWASP Application Security Verification Standard, Level 2 — the de-facto control set for B2B SaaS that handles sensitive data without holding sector-specific (PCI / healthcare) certifications. The self-assessment is reviewed on a rolling cadence; the working document is part of the platform's audit programme.

What this means in practice

Every code change passes through code review, automated security scans (Trivy, Semgrep, ZAP), unit and integration tests, and a deployment pipeline that verifies health before promoting to production. Every supplier is logged on a register with a security posture review. Every credential is rotated on a documented schedule. Every backup is verify-restored weekly. Every audit log is retained for the documented horizon. Every incident gets a post-incident review with documented corrective actions.

The point isn't the certifications. The point is that the platform is operated by an engineering culture that takes its responsibilities seriously — for the landowners whose records sit in the database, for the consultancies whose evidence base depends on it, and for the funders, regulators, and beneficiaries who eventually look at the outputs.

Apply for an account
Medway Catchment

Restoring the River Medway — landscape-scale, partnership-led

Privacy Notice Data Promise Your data rights

A Medway Catchment Partnership branded tenancy on the Ecology platform · Hosted by Owletts Farm Partnership · Convenor: South East Rivers Trust