Skip to Content
Wolf Logic — Trust & Data Protection
UK-based · GDPR-aligned · No training on your data

Your data stays yours.
Your code stays private.

We handle enterprise data every day — NHS-linked systems, financial records, industrial IP. This page explains exactly how we treat it, where it lives, who can touch it, and what happens if something goes wrong. In plain English, not legalese.

UK / EU only
Data residency, processing, and support
Zero retention
AI endpoints don't retain your prompts or code
Zero training
Your data is never used to train any model
30 days
Post-engagement data deletion by default
This page reflects our current, live commitments.
Version 2.0 Last updated April 2025 Next review October 2025
On this page

Six commitments. Every engagement.

01 · Data residency

Your data never leaves the UK or EU.

Every byte of customer data we process lives in UK or EU jurisdictions. Every engineer with access to it is UK-based. Every sub-processor we use is bound to the same residency rule by contract.

This isn't a "reasonable efforts" claim. It's a hard boundary. If a project genuinely requires processing outside those regions — vanishingly rare — we tell you before kick-off, in writing, and you sign off before we proceed.

Data at rest
Stored in UK regions on encrypted volumes. EU regions available where required by client contract.
LIVE
Data in transit
TLS 1.3 for all customer connections. Certificate pinning on production endpoints.
LIVE
Backups
Encrypted, versioned, held in the same jurisdiction as primary data. Never cross-region.
LIVE
Engineering access
100% UK-based team. No offshore development. No third-country access without written client approval.
LIVE
Cross-border transfers
None as default. If required for a specific engagement, governed by UK IDTA / EU SCCs and disclosed up-front.
LIVE
02 · AI & model handling

We use AI to build for you — not the other way around.

The most common enterprise question about AI vendors in 2026 is simple: "will my data end up training your model?" Our answer is a straight no, and we back it up with specific technical choices.

Zero-retention AI endpoints

We only use enterprise AI endpoints with contractual zero-retention terms. Providers cannot log, cache, or persist your prompts or completions.

  • Anthropic (zero-retention API)
  • OpenAI Enterprise (zero-retention tier)
  • Azure OpenAI (with 30-day abuse-monitoring opt-out)

No training on your data

Your data is never used to train, fine-tune, or improve any model — ours or a vendor's. This is contractual with every AI provider we work with.

  • Explicit no-training clauses with all vendors
  • Prompt and response logging strictly opt-in
  • Fine-tunes trained on your data stay under your ownership

Self-hosted options

For sensitive workloads — patient data, financial records, IP-critical systems — we run open-weight models on infrastructure inside your VPC. Nothing leaves your perimeter.

  • Llama 3, Mistral, and other open-weight models
  • Deploy into your existing AWS, Azure, or GCP tenancy
  • Full audit trail of every model invocation

Auditable AI use

Every AI-generated output in our delivery workflow is logged with model, version, prompt hash, and reviewer. If it went into your codebase, we can prove exactly how.

  • Model provenance recorded for every artefact
  • Human review sign-off required for production changes
  • Full audit trail available on request
03 · GDPR & regulatory compliance

Built for UK regulation. Practised on NHS-grade systems.

We've spent years shipping software into NHS-linked and financially regulated environments. UK GDPR isn't a compliance overlay for us — it's baked into how we scope, build, and hand over every engagement.

Frameworks we align with

UK GDPR & Data Protection Act 2018
Full alignment. Data Processing Agreements (DPAs) offered as standard with every engagement.
ALIGNED
EU GDPR
Aligned for EU-domiciled clients. Standard Contractual Clauses provided where relevant.
ALIGNED
NHS Data Security & Protection Toolkit
Practised on Health Navigator and other NHS-linked engagements. Full DSPT alignment on request.
ALIGNED
OWASP Top 10 / ASVS
Baseline for every codebase we touch. Reviews cover authentication, injection, crypto, access control.
IMPLEMENTED
ISO 27001
Our security controls and working practices align with ISO 27001 principles.
ALIGNED
SOC 2 Type II
Our security and evidence practices align with controls commonly assessed in SOC 2 environments.
ALIGNED
Cyber Essentials
Our security controls and working practices align with the Cyber Essentials framework.
ALIGNED

The rights we protect

Under UK GDPR, data subjects have specific rights over their personal data. We support you in fulfilling all of them, whether the data is in a system we built or one we operate for you.

Right of access

Data subjects can request a full copy of their personal data. We provide export tooling for every system we build.

Right to erasure

"Right to be forgotten" workflows built into every system by default. Includes derived data, backups, and audit logs where lawful.

Right to rectification

Correction workflows with audit trail. Downstream systems notified automatically where required.

Right to data portability

Machine-readable exports (JSON, CSV) supported natively. No format lock-in.

Right to object

Opt-out mechanisms surfaced clearly in user-facing systems. Preferences honoured across services.

Automated decision rights

Where AI makes decisions affecting users, explanations are logged, contestability is built in, and human review paths are always available.

04 · Access & security controls

Least privilege. Encrypted everywhere. Fully logged.

Access to customer data is scoped tightly, granted only when needed, revoked immediately when engagements end, and audit-logged from day zero. No shared admin accounts. No shoulder-surfing. No exceptions.

01

Read-only by default

We request read-only access unless a specific task requires write. Elevated access is scoped, time-boxed, and requires named approval from your side.

02

MFA and SSO enforced

Every engineer authenticates with multi-factor auth. SSO with your identity provider (Okta, Azure AD, Google) supported and preferred for engagements where it fits.

03

Encryption at rest and in transit

AES-256 at rest, TLS 1.3 in transit. Managed keys via HSM-backed KMS in every cloud we operate in. Bring-your-own-key supported.

04

Full audit logging

Every access, query, deploy, and model invocation logged with actor, timestamp, and payload hash. Logs immutable, retained for the engagement plus 90 days.

05

Endpoint hardening

All engineer laptops encrypted, patched, and MDM-managed. No customer data on personal devices, ever. No local database dumps without written approval.

06

Departure protocol

When an engineer leaves the team, or an engagement ends, access is revoked the same working day. Audit log stays live and is delivered to you on request.

05 · Sub-processors

The full list. Nothing hidden.

These are the third parties we may use to deliver services on your behalf. Every one is bound by contract to the same data protection standards we hold ourselves to. We update this list at least quarterly and notify affected clients when it changes.

Provider Purpose Region Terms
Amazon Web Services Primary infrastructure hosting eu-west-2 (London) UK
Microsoft Azure Alternative hosting, Azure OpenAI uksouth UK
Anthropic Claude API for AI features EU endpoint ZERO-RET
OpenAI GPT models via enterprise API EU endpoint ZERO-RET
GitHub Source code hosting, CI/CD EU EU
Cloudflare CDN, WAF, DDoS protection UK / EU edge only UK
Sentry Error tracking (opt-in per client) EU (Frankfurt) EU
1Password Business Credential management EU EU

Full sub-processor list including DPAs available under mutual NDA. Notification of changes: 30 days in advance for material additions.

06 · Incident response

If something goes wrong, here's what happens.

No security programme is perfect. What matters is how quickly we detect, contain, and communicate. Our incident response plan is documented, rehearsed, and holds to specific timeboxes — including notification well inside UK GDPR's 72-hour requirement.

1hr
Detect & contain
Alert triaged. Affected systems isolated. Incident lead assigned.
4hrs
Initial notification
Affected clients contacted with what we know, what we don't, and what we're doing.
24hrs
Full disclosure
Scope, impact, root-cause hypothesis, remediation plan shared in writing.
72hrs
Regulator notification
ICO notified where required — within GDPR's mandatory 72-hour window.

A written post-incident report follows within 10 working days for every reportable event. Root cause, timeline, remediation, and any changes to controls — nothing withheld from affected clients.

Common questions

Things your legal, procurement, and infosec teams will ask.

Can we sign your DPA, or do we need to use ours?
Either. We have a standard DPA aligned with UK GDPR and EU GDPR that most clients sign as-is. If your legal team prefers to work from your own template, we'll happily review it and negotiate. Neither adds cost or delay.
What happens to our data when the engagement ends?
Return, deletion, or handover — your choice. Our default is: source code, infrastructure-as-code, and runbooks handed to you; working copies on our systems securely deleted within 30 days; audit logs retained for a further 90 days for compliance purposes, then destroyed. We provide a written certificate of destruction on request.
Do you carry insurance?
Yes. Professional Indemnity and Cyber Liability cover, both at levels appropriate for UK enterprise engagements. Certificates provided on request under NDA.
Can we audit you?
Yes. Standard right-to-audit provisions in our DPA. For most clients, our standard security documentation and control evidence satisfies audit requirements without needing a physical inspection. Where a direct audit is required — typically for regulated financial or healthcare clients — we cooperate fully and at no charge for a reasonable annual audit.
Where does the code you write live during development?
In a private GitHub repository under UK / EU jurisdiction, encrypted at rest, accessible only to the named engineers on your engagement. You get read access from day one. At handover, the repository transfers to your ownership — full history, no strings attached.
What if an AI provider changes their terms?
We monitor provider terms continuously. If a change materially affects our commitments to you — for example, if a zero-retention guarantee weakens — we notify you, evaluate alternatives, and if necessary migrate off the affected provider. You're never surprised by silent terms changes from a downstream vendor.
Do you offer bug bounty or responsible disclosure?
Yes. Security researchers can report vulnerabilities to [email protected]. We acknowledge within 24 hours, provide a triage decision within 5 working days, and coordinate disclosure timing with the reporter. Formal bug bounty programme launching Q4 2025.
Get in touch

Named humans. Real inboxes.

Trust is a conversation, not a page. If you have a specific question about how we'd handle your data, contact the relevant team directly — no support ticket queues.

Data protection queries

Data subject requests, DPA questions, sub-processor list, right-to-audit enquiries. Response within 2 working days.

Security & incident reporting

Vulnerability reports, responsible disclosure, incident notifications. Acknowledged within 24 hours.

Data Protection Officer

Escalation contact for privacy matters. Formal appointment; contact details registered with the ICO.

Regulator contact

ICO — ico.org.uk
If you have a concern about how we handle personal data that we can't resolve directly, you have the right to complain to the ICO.

Have a specific compliance question?

Talk to us directly. We'll answer your infosec team's questions with the depth they expect — and provide DPAs, sub-processor lists, and audit evidence on request.