Twelve questions we get on every call.
If your question isn't here, send it to us. We'll answer it, and add it to the list.
Procurement & contracting
What's the contract model? Annual subscription or perpetual licence?
Annual subscription, in almost every case. We price on scheme volume, reporting cadence and support scope — never seats. Standard term: twelve months from signature, auto‑renewing unless either side gives sixty days' notice. Multi‑year terms are available at a discount. We don't sell perpetual licences because the validation frameworks, methodology and reports are actively maintained — locking you to a frozen version would do neither of us a favour.
What's the cancellation clause?
Sixty days' notice to the renewal date. No claw‑back on the year in flight, no auto‑renewal traps. Pilot engagements are fixed‑fee with no renewal at all — if you don't want to continue, you don't.
Is Risk Studio framework‑approved?
Risk Studio is live in production on a major UK infrastructure delivery programme via a Tier‑1 partner contract. We aren't on a standalone government framework yet — that's deliberate. We'd rather earn the next framework on the back of real client outcomes than chase listings. If you're in a procurement that requires a specific framework, talk to us early — we typically reply on a per‑client basis at hello@somaprojectcontrols.com.
What's your supplier viability — insurance, registered office, financials?
SOMA Project Controls Ltd is a UK‑registered company, D‑U‑N‑S® 232556078, registered office c/o Fortis Accountancy Services Ltd, Middlesbrough, TS3 8TF. Professional indemnity, public liability and employer's liability insurance are held through a UK broker — certificates and limits are shared as part of the standard supplier onboarding pack. Latest filed accounts and a financial viability summary are available on request for procurement teams.
Security & data
Where is the data hosted?
By default, on your hardware. Risk Studio is a local‑first application — the server runs on localhost and the browser opens to 127.0.0.1:8000. In normal operation there are no outbound network calls. For teams that want a shared environment, we deploy Risk Studio into your Azure tenancy (you hold the keys, you control egress) or onto a SOMA‑managed environment with signed contractual data‑handling terms. Full detail on the Security page.
Who can access it? What happens to my data if we cancel?
For local install: only the people you give the machine and the files to. For private cloud: only the identities your IT team provisions. For SOMA‑managed deployments, named SOMA engineers under DPA — fewer than five people, individually identifiable, audit‑logged. On cancellation, we delete all your data and project artefacts within thirty days and provide a written confirmation. You can request earlier deletion at any time.
Are you Cyber Essentials / SOC 2 / ISO 27001 certified or in progress?
Formal certifications are on our roadmap; current status is available on request when you scope the engagement. For procurements where a specific certification is mandatory today, talk to us — we won't bluff.
Methodology & defensibility
How do you validate against Safran?
We benchmark every Monte Carlo scheme against Safran and share the per‑scheme comparison under NDA. Parity validation is ongoing; we publish the benchmark register to procurement teams on request. The full methodology — sampling, NORTA, Higham PSD, convergence, attribution — is on the Methodology page.
What's "audit‑replay" actually?
Every run is captured as an immutable bundle — inputs, configuration, seed, code version, output hashes — and added to an HMAC‑chained log. Any historic period can be re‑run from that bundle and will produce byte‑identical outputs. If an assurance reviewer or a regulator wants to spot‑check a number from six months ago, you don't ask anyone to remember what they did — you re‑run the period and show the same numbers.
Can it stand up to an ORR / regulator review? Whose methodology is the SOMA QSRA Readiness V2.9?
The SOMA QSRA Readiness V2.9 is our own framework, built from the schemes we've inherited, the mistakes we've seen repeated, and the questions assurance teams keep asking. Thirty‑nine checks across input quality, distribution discipline, correlation hygiene and schedule fitness — every one with a published rationale, a threshold, and a remediation. It's reviewed annually and version‑stamped on every report. For ORR‑style reviews we expect questions on methodology, sampling, traceability and audit chain — that's exactly what we've designed for.
Practical
How long does first deploy take?
For a local install on a Mac or Windows machine: under an hour from the installer landing to the first scheme loaded. For an Azure private‑cloud deployment: usually a working week, gated by your IT team's provisioning. A pilot engagement — one scheme, validated and modelled with a written debrief — typically lands inside two weeks of kick‑off.
Do you train our team?
Yes. Every engagement includes onboarding for the named users — analysts, planners, RAMs, risk managers and assurance signatories. We run a half‑day workshop on the validator and the Monte Carlo engine, and a separate session on Schedule Lens. After that, we sit alongside the team on the first couple of periods so the tooling and the workflow bed in together. Most teams are running independently by month three.
Ask the thirteenth. We'll add it to the list.
We reply personally. Email hello@somaprojectcontrols.com with the subject prefix [FAQ] and we'll add the answer here for the next reader.