Security

Security is part of how we build. This page summarizes the practices we apply across the studio and the systems we deliver. Specific controls for a given engagement are defined in the applicable agreement and any data processing addendum.

Data protection

• Isolation — client data is kept logically separated, and we never use client engagement materials to train shared models.
• Encryption — data is encrypted in transit (TLS) and at rest using industry-standard algorithms.
• Access control — access to client data is limited to the people who need it, under the principle of least privilege.

Infrastructure

We build on established cloud infrastructure and managed services. Where you prefer, systems can be deployed into your own cloud or infrastructure so the data never leaves your environment.

Operational practices

• Secrets are stored in managed secret stores, not in source code.
• We apply authentication, audit logging, and monitoring to the systems we operate.
• Access reviews and dependency updates are performed on a regular basis.

Incident response

We maintain an incident response process. In the event of a confirmed personal-data breach affecting your data, we aim to notify affected clients without undue delay, and within 72 hours where required by applicable law.

Subprocessors

We use a limited set of subprocessors (for example, cloud hosting, model providers, and email) to deliver our services. A current list is available on request.

Compliance roadmap

We align our practices with GDPR/UK GDPR expectations and are building toward formal attestations (such as SOC 2 Type II) as the studio grows. We share current status openly rather than implying certifications we don’t yet hold.

Reporting a concern

To report a security concern, contact us via our LinkedIn. A dedicated security contact address will be published here.