Security
Security by design, not afterthought
- TLS 1.2+ enforced on all service endpoints
- AES-256 encryption for sensitive data at rest
Clear data handling with no surprises about where your data goes.
We are specific about what data we collect, how long we keep it, where it lives, and who can see it. Your business data is not used to train models, sold to third parties, or retained beyond what you authorise.
How we approach it
Data minimisation by default
We collect only the data that a system needs to function. During design we identify every data field, justify its collection, and remove anything that is not operationally necessary. You will never find us storing data "just in case".
Documented retention policies
Every system we deliver includes a data retention schedule. Transactional logs, AI outputs, user inputs, and operational data each have a defined retention period. Automated deletion or archival is implemented where technically feasible.
No training on client data
Your business data is not used to train any AI model — ours or a third-party provider's. When we use AI APIs, we use providers whose terms explicitly prohibit training on customer inputs, and we document which providers are in use.
Data residency options
If your procurement, regulatory, or governance requirements specify that data must remain within the EU, UK, or a specific cloud region, we design for that from the start. We deploy to Azure UK South, Azure West Europe, AWS eu-west-2, or equivalent.
Clear subprocessor disclosure
We document every third-party service that handles your data — cloud providers, AI APIs, monitoring tools, and error trackers. You receive a subprocessor list as part of the delivery package and we notify you before adding new ones.
Data access controls and segregation
Client data is logically segregated from other clients. Production data is never accessed in development or testing environments. Access to production data by our engineers requires explicit authorisation and is logged.
Questions
Common questions about data handling.
No. Your business data is not used to train any model or improve any service — ours or a third party's. We select AI API providers whose terms explicitly prohibit using customer inputs for training, and we document those providers by name.
Yes. We design for your data residency requirements from the start. If you need data to remain in the UK or EU, we configure deployment to the appropriate cloud region — Azure UK South, Azure West Europe, AWS eu-west-2, or your preferred equivalent. This is not a retrofit; it is an architecture decision we make before building.
We produce a subprocessor list as part of every delivery. This documents every cloud provider, AI API, monitoring service, or error tracker that may handle your data. We notify you before adding any new subprocessor to a live system.
Every system we build includes documented data retention periods and deletion procedures. For systems handling personal data, we implement deletion workflows that can be triggered by request. We test these workflows before go-live.
Other trust pillars
AI Governance
AI you can explain and control
- All prompt templates version-controlled and reviewed
- Output validation layer before any downstream action
Compliance Readiness
Built to pass procurement
- Access control policy documented and implemented
- Change management process with audit trail