Your data stays yours.
Your code stays private.
We handle enterprise data every day — NHS-linked systems, financial records, industrial IP. This page explains exactly how we treat it, where it lives, who can touch it, and what happens if something goes wrong. In plain English, not legalese.
Six commitments. Every engagement.
Data residency
Where your data lives, is processed, and is backed up.
AI & model handling
How we use AI on your data without giving it away.
GDPR & regulatory compliance
UK GDPR, NHS Digital, Data Protection Act 2018.
Access & security controls
Who can see your data, how it's encrypted, what's logged.
Sub-processors
The full list of third parties, and what each is used for.
Incident response
What we do — and by when — if something goes wrong.
Your data never leaves the UK or EU.
Every byte of customer data we process lives in UK or EU jurisdictions. Every engineer with access to it is UK-based. Every sub-processor we use is bound to the same residency rule by contract.
This isn't a "reasonable efforts" claim. It's a hard boundary. If a project genuinely requires processing outside those regions — vanishingly rare — we tell you before kick-off, in writing, and you sign off before we proceed.
We use AI to build for you — not the other way around.
The most common enterprise question about AI vendors in 2026 is simple: "will my data end up training your model?" Our answer is a straight no, and we back it up with specific technical choices.
Zero-retention AI endpoints
We only use enterprise AI endpoints with contractual zero-retention terms. Providers cannot log, cache, or persist your prompts or completions.
- Anthropic (zero-retention API)
- OpenAI Enterprise (zero-retention tier)
- Azure OpenAI (with 30-day abuse-monitoring opt-out)
No training on your data
Your data is never used to train, fine-tune, or improve any model — ours or a vendor's. This is contractual with every AI provider we work with.
- Explicit no-training clauses with all vendors
- Prompt and response logging strictly opt-in
- Fine-tunes trained on your data stay under your ownership
Self-hosted options
For sensitive workloads — patient data, financial records, IP-critical systems — we run open-weight models on infrastructure inside your VPC. Nothing leaves your perimeter.
- Llama 3, Mistral, and other open-weight models
- Deploy into your existing AWS, Azure, or GCP tenancy
- Full audit trail of every model invocation
Auditable AI use
Every AI-generated output in our delivery workflow is logged with model, version, prompt hash, and reviewer. If it went into your codebase, we can prove exactly how.
- Model provenance recorded for every artefact
- Human review sign-off required for production changes
- Full audit trail available on request
Built for UK regulation. Practised on NHS-grade systems.
We've spent years shipping software into NHS-linked and financially regulated environments. UK GDPR isn't a compliance overlay for us — it's baked into how we scope, build, and hand over every engagement.
Frameworks we align with
The rights we protect
Under UK GDPR, data subjects have specific rights over their personal data. We support you in fulfilling all of them, whether the data is in a system we built or one we operate for you.
Right of access
Data subjects can request a full copy of their personal data. We provide export tooling for every system we build.
Right to erasure
"Right to be forgotten" workflows built into every system by default. Includes derived data, backups, and audit logs where lawful.
Right to rectification
Correction workflows with audit trail. Downstream systems notified automatically where required.
Right to data portability
Machine-readable exports (JSON, CSV) supported natively. No format lock-in.
Right to object
Opt-out mechanisms surfaced clearly in user-facing systems. Preferences honoured across services.
Automated decision rights
Where AI makes decisions affecting users, explanations are logged, contestability is built in, and human review paths are always available.
Least privilege. Encrypted everywhere. Fully logged.
Access to customer data is scoped tightly, granted only when needed, revoked immediately when engagements end, and audit-logged from day zero. No shared admin accounts. No shoulder-surfing. No exceptions.
Read-only by default
We request read-only access unless a specific task requires write. Elevated access is scoped, time-boxed, and requires named approval from your side.
MFA and SSO enforced
Every engineer authenticates with multi-factor auth. SSO with your identity provider (Okta, Azure AD, Google) supported and preferred for engagements where it fits.
Encryption at rest and in transit
AES-256 at rest, TLS 1.3 in transit. Managed keys via HSM-backed KMS in every cloud we operate in. Bring-your-own-key supported.
Full audit logging
Every access, query, deploy, and model invocation logged with actor, timestamp, and payload hash. Logs immutable, retained for the engagement plus 90 days.
Endpoint hardening
All engineer laptops encrypted, patched, and MDM-managed. No customer data on personal devices, ever. No local database dumps without written approval.
Departure protocol
When an engineer leaves the team, or an engagement ends, access is revoked the same working day. Audit log stays live and is delivered to you on request.
The full list. Nothing hidden.
These are the third parties we may use to deliver services on your behalf. Every one is bound by contract to the same data protection standards we hold ourselves to. We update this list at least quarterly and notify affected clients when it changes.
Full sub-processor list including DPAs available under mutual NDA. Notification of changes: 30 days in advance for material additions.
If something goes wrong, here's what happens.
No security programme is perfect. What matters is how quickly we detect, contain, and communicate. Our incident response plan is documented, rehearsed, and holds to specific timeboxes — including notification well inside UK GDPR's 72-hour requirement.
A written post-incident report follows within 10 working days for every reportable event. Root cause, timeline, remediation, and any changes to controls — nothing withheld from affected clients.
Things your legal, procurement, and infosec teams will ask.
Named humans. Real inboxes.
Trust is a conversation, not a page. If you have a specific question about how we'd handle your data, contact the relevant team directly — no support ticket queues.
Data protection queries
Security & incident reporting
Data Protection Officer
Regulator contact
Have a specific compliance question?
Talk to us directly. We'll answer your infosec team's questions with the depth they expect — and provide DPAs, sub-processor lists, and audit evidence on request.
Your data stays yours.
Your code stays private.
We handle enterprise data every day — NHS-linked systems, financial records, industrial IP. This page explains exactly how we treat it, where it lives, who can touch it, and what happens if something goes wrong. In plain English, not legalese.
Six commitments. Every engagement.
Data residency
Where your data lives, is processed, and is backed up.
AI & model handling
How we use AI on your data without giving it away.
GDPR & regulatory compliance
UK GDPR, NHS Digital, Data Protection Act 2018.
Access & security controls
Who can see your data, how it's encrypted, what's logged.
Sub-processors
The full list of third parties, and what each is used for.
Incident response
What we do — and by when — if something goes wrong.
Your data never leaves the UK or EU.
Every byte of customer data we process lives in UK or EU jurisdictions. Every engineer with access to it is UK-based. Every sub-processor we use is bound to the same residency rule by contract.
This isn't a "reasonable efforts" claim. It's a hard boundary. If a project genuinely requires processing outside those regions — vanishingly rare — we tell you before kick-off, in writing, and you sign off before we proceed.
We use AI to build for you — not the other way around.
The most common enterprise question about AI vendors in 2026 is simple: "will my data end up training your model?" Our answer is a straight no, and we back it up with specific technical choices.
Zero-retention AI endpoints
We only use enterprise AI endpoints with contractual zero-retention terms. Providers cannot log, cache, or persist your prompts or completions.
- Anthropic (zero-retention API)
- OpenAI Enterprise (zero-retention tier)
- Azure OpenAI (with 30-day abuse-monitoring opt-out)
No training on your data
Your data is never used to train, fine-tune, or improve any model — ours or a vendor's. This is contractual with every AI provider we work with.
- Explicit no-training clauses with all vendors
- Prompt and response logging strictly opt-in
- Fine-tunes trained on your data stay under your ownership
Self-hosted options
For sensitive workloads — patient data, financial records, IP-critical systems — we run open-weight models on infrastructure inside your VPC. Nothing leaves your perimeter.
- Llama 3, Mistral, and other open-weight models
- Deploy into your existing AWS, Azure, or GCP tenancy
- Full audit trail of every model invocation
Auditable AI use
Every AI-generated output in our delivery workflow is logged with model, version, prompt hash, and reviewer. If it went into your codebase, we can prove exactly how.
- Model provenance recorded for every artefact
- Human review sign-off required for production changes
- Full audit trail available on request
Built for UK regulation. Practised on NHS-grade systems.
We've spent years shipping software into NHS-linked and financially regulated environments. UK GDPR isn't a compliance overlay for us — it's baked into how we scope, build, and hand over every engagement.
Frameworks we align with
The rights we protect
Under UK GDPR, data subjects have specific rights over their personal data. We support you in fulfilling all of them, whether the data is in a system we built or one we operate for you.
Right of access
Data subjects can request a full copy of their personal data. We provide export tooling for every system we build.
Right to erasure
"Right to be forgotten" workflows built into every system by default. Includes derived data, backups, and audit logs where lawful.
Right to rectification
Correction workflows with audit trail. Downstream systems notified automatically where required.
Right to data portability
Machine-readable exports (JSON, CSV) supported natively. No format lock-in.
Right to object
Opt-out mechanisms surfaced clearly in user-facing systems. Preferences honoured across services.
Automated decision rights
Where AI makes decisions affecting users, explanations are logged, contestability is built in, and human review paths are always available.
Least privilege. Encrypted everywhere. Fully logged.
Access to customer data is scoped tightly, granted only when needed, revoked immediately when engagements end, and audit-logged from day zero. No shared admin accounts. No shoulder-surfing. No exceptions.
Read-only by default
We request read-only access unless a specific task requires write. Elevated access is scoped, time-boxed, and requires named approval from your side.
MFA and SSO enforced
Every engineer authenticates with multi-factor auth. SSO with your identity provider (Okta, Azure AD, Google) supported and preferred for engagements where it fits.
Encryption at rest and in transit
AES-256 at rest, TLS 1.3 in transit. Managed keys via HSM-backed KMS in every cloud we operate in. Bring-your-own-key supported.
Full audit logging
Every access, query, deploy, and model invocation logged with actor, timestamp, and payload hash. Logs immutable, retained for the engagement plus 90 days.
Endpoint hardening
All engineer laptops encrypted, patched, and MDM-managed. No customer data on personal devices, ever. No local database dumps without written approval.
Departure protocol
When an engineer leaves the team, or an engagement ends, access is revoked the same working day. Audit log stays live and is delivered to you on request.
The full list. Nothing hidden.
These are the third parties we may use to deliver services on your behalf. Every one is bound by contract to the same data protection standards we hold ourselves to. We update this list at least quarterly and notify affected clients when it changes.
Full sub-processor list including DPAs available under mutual NDA. Notification of changes: 30 days in advance for material additions.
If something goes wrong, here's what happens.
No security programme is perfect. What matters is how quickly we detect, contain, and communicate. Our incident response plan is documented, rehearsed, and holds to specific timeboxes — including notification well inside UK GDPR's 72-hour requirement.
A written post-incident report follows within 10 working days for every reportable event. Root cause, timeline, remediation, and any changes to controls — nothing withheld from affected clients.
Things your legal, procurement, and infosec teams will ask.
Named humans. Real inboxes.
Trust is a conversation, not a page. If you have a specific question about how we'd handle your data, contact the relevant team directly — no support ticket queues.
Data protection queries
Security & incident reporting
Data Protection Officer
Regulator contact
Have a specific compliance question?
Talk to us directly. We'll answer your infosec team's questions with the depth they expect — and provide DPAs, sub-processor lists, and audit evidence on request.