Your data stays in your tenant.
We build for UK law firms, private healthcare groups, and regulated practices. The systems we ship are deployed inside your own cloud and your own source-control. We hold no client production data after handover. This page sets out the security and compliance posture every engagement starts from.
Five principles, applied to every engagement.
Hosted on your own cloud tenant.
Every system we build is deployed inside your infrastructure (your AWS, Azure, or on-premise). Production data does not pass through our environment. We hold no client data after handover.
UK GDPR and DPA 2018 compliant by design.
Each engagement begins with a signed Data Processing Agreement. Lawful basis, retention, processor obligations, and sub-processors are documented before any data is touched.
Encryption in transit and at rest.
TLS 1.2+ everywhere, AES-256 at rest, secrets stored in your cloud provider's managed secret store (AWS Secrets Manager, Azure Key Vault). No secrets in source.
Principle of least privilege.
Access to your environment is granted only for the duration of the engagement, scoped to what each task actually needs. Access logs are reviewable. Credentials revoke on handover.
Code review and audit trail.
All code is delivered in your own Git repository with a complete commit history. Pull requests are reviewable. The runbook documents what runs, when, and who can change it.
Sector-specific commitments.
Law firms
We work to SRA-aligned data handling expectations: confidentiality, conflicts, and matter-data segregation. Client matter data does not leave your iManage, NetDocuments, or PMS.
Healthcare groups
For systems touching patient information, we operate to UK GDPR and Caldicott principles. Personal data is processed inside your tenant and your DPO has full visibility of data flows.
Recruitment & B2B
Candidate and prospect data stays in your CRM (Bullhorn, JobAdder, HubSpot, Salesforce). Enrichment runs server-side; nothing is logged or retained beyond what the workflow requires.
Documentation available on request.
Before you sign, we can share our standard Data Processing Agreement, sub-processor list, and a security questionnaire completed in your firm's preferred format (CAIQ, SIG-Lite, or your own template). Procurement teams typically have what they need within two business days.
For privacy-related questions, see our privacy policy. For website terms, terms of use.