Trust Center
How we handle your data.
Direct answers for your compliance officer, your CISO and your data-protection lead. If you need anything in writing, we have a DPA template — just ask.
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Database, file storage and search indices are all encrypted by default. No exceptions.
UK + EU data residency
Production data is hosted in UK and EU regions. We do not move customer data outside the UK/EU without an explicit contractual agreement.
No training on your data
We do not use customer prompts, documents, knowledge or outputs to train our own models. Your data trains nothing. Period.
Role-based access
Customer-tenant isolation at the database row level. Internal access is audit-logged and limited to named on-call engineers for incident response only.
Retention you control
Workspaces, conversations and uploaded files are retained for the duration of your contract. You can delete content at any time; deletion is propagated within 30 days across primary + backup storage.
GDPR-ready
We act as data processor for customer data and as controller for the limited operational logs we keep. DPA available on request; subject access request workflow documented.
Certifications
Where we are on the roadmap.
We're transparent about what we have and what we're working on. Anything below in “In progress” or “Planned” is on an active timeline; ask for a specific target date.
Cyber Essentials Certified
Target Q3 2026.
ISO 27001:2022
Targeted for late 2026.
SOC 2 Type II
For enterprise tier customers.
Sub-processors
Who else touches data we hold.
The third parties we use in production, what they do, where they run, and whether we have a Data Processing Agreement in place.
| Provider | Purpose | Region | DPA |
|---|---|---|---|
| Anthropic | LLM inference (Claude family) | EU/UK routed | Yes |
| OpenAI | LLM inference (fallback models) | EU routed | Yes |
| AWS | Cloud infrastructure | eu-west-2 (London) | Yes |
| Cloudflare | CDN, DNS, DDoS protection | EU edge | Yes |
| Sanity | Marketing site CMS (not customer data) | EU | Yes |
| Sentry | Error monitoring | EU | Yes |
| PostHog | Product analytics (anonymised) | EU | Yes |
| Cal.com | Demo scheduling (not customer data) | EU | Yes |
We notify customers in writing 30 days before adding a new sub-processor that handles customer data.
Need this in writing?
We have a Data Processing Agreement template, an internal security questionnaire, and we're happy to walk through any of it on a call.