Data Handling & Lifecycle
A practical view of how data flows through the systems we build, where it lives, who can see it, and how long it stays. Engineered transparency rather than glossy reassurance.
Data categories we typically handle
- Business data: invoices, orders, supplier records, customer interactions, internal documents.
- Personal data: employee names/emails, customer contact details — handled under UK GDPR.
- Sensitive personal data: health, financial, legal status — handled only with explicit client consent, full DPA in place, and strict access controls.
- Authentication data: API keys, OAuth tokens — encrypted at rest, never in logs.
Ingest
Data enters the system through one of three channels:
- Inbound webhook (Stripe, Xero, Calendly, Formspree).
- Scheduled pull (API integration with your CRM, accounting, or ops tools).
- User upload (file upload form on a customer-facing or internal app).
Every inbound event is logged with timestamp, source, payload hash, and routing decision before any processing.
Processing
Workers process events idempotently — a duplicate event triggers an idempotency check and is dropped if already processed. Processing steps are individually logged.
When data is sent to an LLM API: zero-retention configured where the provider supports it; we redact obvious PII (NI numbers, payment card numbers) before sending where the workflow does not require them; outputs are validated against a schema before use.
Storage
- Primary store: Postgres in UK/EU region, encrypted at rest, automated backups with point-in-time recovery.
- Vector store: pgvector on the same Postgres instance. Embeddings stored as float arrays; original text retained alongside in the same row for traceability.
- Object storage (uploaded files): AWS S3 in eu-west-2 with server-side encryption.
- Audit log: append-only table on Postgres, separate from operational data.
Retention
Retention policy is set per project based on your regulatory needs and operational requirements. Defaults we recommend:
- Operational data: as long as the business workflow requires.
- Audit logs: 12 months minimum; 6 years for financial workflows.
- LLM input/output snapshots (for debugging): 30 days, then deleted unless flagged for issue investigation.
- Uploaded files: per-workflow; typically 90 days post-processing unless retained for compliance.
Deletion
Data subject deletion requests under UK GDPR are honoured. The system architecture supports it: each data subject has a single ID across tables, deletion cascades through related records, audit log records the deletion event (a tombstone rather than retaining the original data).
On project termination, you choose: full data export to you and deletion from our systems, or transfer of infrastructure ownership to you. Either way, we don't retain your data after handover.
Backup
Daily automated backups, 30-day retention, point-in-time recovery to within 5 minutes for any moment in the last 7 days. Backups encrypted, stored in a separate region for disaster recovery.
Access and audit
Every read/write to operational data is logged. Audit log queries are available to authorised members of your team via a documented interface. You can answer “who accessed this customer's data and when?” without our involvement.
Procurement questions?
Happy to fill in supplier questionnaires, sign DPAs, and answer specific procurement queries.