>

Security Practices

A practical overview of how we secure the systems we build. Written for the procurement team that needs to tick boxes, and for the founder who wants to actually understand what their AI integration is doing.

Hosting and data residency

Default deployment region is UK or EU. For AWS-hosted systems, eu-west-2 (London). For Vercel-hosted apps, London edge. For managed Postgres, Neon eu-west-2 or AWS RDS in London.

Where a client requires data to stay on their own infrastructure, we deploy to your AWS / Azure / GCP account using infrastructure-as-code that you own at handover. No data leaves your perimeter.

Secrets and credential management

Access control

AI provider configuration

Where the AI provider supports it, we enable zero-retention mode (OpenAI, Anthropic, Mistral). This means your inputs and the model outputs are not retained for training or moderation review.

Where zero-retention is not available, we document this explicitly in the architecture document and you can choose a different provider before build starts.

We never use your data to fine-tune a model unless that is the explicit project goal and is contractually scoped.

Monitoring and incident response

Vulnerability handling

Dependency vulnerabilities monitored via GitHub Dependabot or Snyk. Critical CVEs patched within 7 days; high within 30 days. The pipeline is documented in your runbook so you can continue this after handover.

Found a vulnerability in something we shipped? Email [email protected] with details. We treat reports seriously, acknowledge within 48 hours, and credit the reporter where they want it.

Penetration testing

For systems with significant external attack surface (customer-facing apps with PII), we recommend an annual third-party pen test and can introduce a UK-based vendor. Pen-test cost is not included in our build fees — it's a separate engagement with the testing firm.

UK GDPR alignment

Full Privacy Policy at /legal/privacy-policy.html. Highlights:

Procurement questions?

Happy to fill in supplier questionnaires, sign DPAs, and answer specific procurement queries.