Trust & security
Trust, security, and how we build.
We build software that runs real operations, often with sensitive data behind it. That only works if we are straightforward about how we handle data, privacy, and security. Here is how we approach it, in plain terms.
How we work with you
Clear commercial terms
How a system is owned or licensed is agreed with you up front and put in writing, whether that is a custom build, a licence, or one of our own products. No surprises later.
Built to last
We build on standard, well-supported frameworks and document what we ship, so a system stays maintainable and you are never locked to one supplier by accident.
Honest about scope
We tell you plainly what a system does and does not do. We make no medical or clinical claims, and we do not imply certifications we do not hold.
How we stay GDPR-aligned
We build to UK and EU GDPR. In plain terms: your data stays yours, we only handle what a system needs, and we are accountable for how it is processed.
Controller and processor
For the software we run for you, you are the data controller and we act as your processor under a written data processing agreement.
Data minimisation
We collect only the data a system needs to do its job, and use it only for that purpose. Nothing is gathered just in case.
Where your data lives
Data residency is set per project. Where a project requires it, your data is stored in the UK or EU, and any processing outside the UK or EU is covered by safeguards such as Standard Contractual Clauses and the UK IDTA.
Your rights, supported
We help you respond to data subject requests, access, correction, deletion, and portability, within the statutory timescales.
If something goes wrong
If a personal data breach affects your data, we notify you without undue delay, so you can meet your own obligations within the timescales the law sets.
We do not sell or train on your data
We never sell personal data, and we do not use your data, or your customers’ data, to train AI models.
How we keep it safe
Encrypted in transit and at rest
Traffic is encrypted in transit with TLS, and data at rest is encrypted on the managed databases we deploy on.
Least-privilege access
Access to production systems is limited to the people who need it, on a least-privilege basis, with multi-factor authentication on core accounts.
Secrets stay secret
Credentials and API keys live in managed secret stores, never in source code.
Tenant isolation
In multi-tenant products, each customer’s data is separated and access is scoped to the right tenant on every request.
AI under oversight
Where we use AI it runs under human oversight. It escalates rather than guesses, its actions are logged and auditable, and it stays within a defined scope.
Backups and incident response
We run on managed infrastructure with automated backups, and we keep a process to investigate and respond to incidents.
We are a small studio, not an enterprise vendor with a wall of compliance badges. We do not yet hold ISO 27001 or SOC 2, and we would rather be straight about that than imply otherwise.
What you get instead is the substance underneath those badges: the practices above, direct access to the people who built your system, and clear answers to your security questions. If your procurement needs detail, ask, and we will share our security overview and complete your questionnaire.
