Security Practices
A practical overview of how we secure the systems we build. Written for the procurement team that needs to tick boxes, and for the founder who wants to actually understand what their AI integration is doing.
Hosting and data residency
Default deployment region is UK or EU. For AWS-hosted systems, eu-west-2 (London). For Vercel-hosted apps, London edge. For managed Postgres, Neon eu-west-2 or AWS RDS in London.
Where a client requires data to stay on their own infrastructure, we deploy to your AWS / Azure / GCP account using infrastructure-as-code that you own at handover. No data leaves your perimeter.
Secrets and credential management
- API keys, database credentials, and OAuth tokens stored in AWS Secrets Manager or Vercel encrypted environment variables. Never in source control.
- Secrets rotated on project handover. The keys you receive are not the keys we used during development.
- Least-privilege scoping per integration: a webhook secret can post to one endpoint, an integration API key can read a specific dataset, etc.
- Audit log records every secret access in production.
Access control
- Every administrative system requires MFA. No exceptions.
- Production deploys require code review. Solo-engineer projects use Git-protected branches with self-review checklists.
- Customer data access during development is on a need-to-know basis: synthetic data for build, real data only during final testing with you present.
- Off-boarding: all access (cloud accounts, repos, integrations) revoked within 24 hours of project end.
AI provider configuration
Where the AI provider supports it, we enable zero-retention mode (OpenAI, Anthropic, Mistral). This means your inputs and the model outputs are not retained for training or moderation review.
Where zero-retention is not available, we document this explicitly in the architecture document and you can choose a different provider before build starts.
We never use your data to fine-tune a model unless that is the explicit project goal and is contractually scoped.
Monitoring and incident response
- Errors → Sentry with email + Slack notifications.
- Structured logs → Axiom or CloudWatch Logs with retention configured per regulatory minimum.
- Anomaly detection on key metrics (job-failure rate, unusual cost spikes, slow response times).
- For maintenance-retainer clients, a written incident response plan with severity levels and notification SLAs.
Vulnerability handling
Dependency vulnerabilities monitored via GitHub Dependabot or Snyk. Critical CVEs patched within 7 days; high within 30 days. The pipeline is documented in your runbook so you can continue this after handover.
Found a vulnerability in something we shipped? Email [email protected] with details. We treat reports seriously, acknowledge within 48 hours, and credit the reporter where they want it.
Penetration testing
For systems with significant external attack surface (customer-facing apps with PII), we recommend an annual third-party pen test and can introduce a UK-based vendor. Pen-test cost is not included in our build fees — it's a separate engagement with the testing firm.
UK GDPR alignment
Full Privacy Policy at /legal/privacy-policy.html. Highlights:
- DPA available on request — pre-prepared template ready to sign.
- Sub-processor list documented per project.
- Data subject access requests processed within UK GDPR timelines.
- Breach notification capability built into every system — automated alerts to you with regulatory clock awareness.
Procurement questions?
Happy to fill in supplier questionnaires, sign DPAs, and answer specific procurement queries.