Index/Trust Center
(Trust Center) Security & data protection

Security & trust, by default.

Security isn't a bolt-on for us — it's how we work. NDAs before we start, least-privilege access, encryption everywhere and full ownership of your code and IP. Here's exactly how we protect your data and your work.

Request our security overview
(01) Standards we work to
ISO 27001
Aligned
SOC 2
Readiness
GDPR
Compliant practice
NDA
Standard on every engagement
100% IP
Client-owned

We work to recognised standards and can share our current posture and controls under NDA.

(02) Controls

How we protect
your data.

The same controls we'd want on our own systems — applied to yours from day one.

Access

Least-privilege access

People and services get only the access they need, for only as long as they need it. Access is reviewed, logged and revoked on offboarding.

Encryption

Encrypted in transit & at rest

Data is encrypted end to end using modern ciphers and TLS, with secrets held in managed vaults — never in code or config.

Build

Secure SDLC

Code review, dependency and secret scanning, and least-privilege CI/CD pipelines are built into how we ship — not audited in afterwards.

Resilience

Backups & disaster recovery

Automated, tested backups and documented recovery plans with clear objectives — so a bad day is a recovery, not a crisis.

Visibility

Monitoring & logging

Centralised logs, metrics and alerting give us early warning of anomalies and a clear audit trail when questions come up.

Response

Incident response

A documented plan to detect, contain, notify and remediate quickly — followed by a blameless review so it doesn't recur.

(03) Data & IP ownership

Your data, your IP — no exceptions.

We build to hand off, never to lock you in. The work is yours, and we handle your data like we handle our own.

01

Your IP, always

Full ownership of all code, designs and documentation transfers to you. We keep no hidden dependencies and no hostage keys.

02

NDA before any data

A mutual NDA is signed before we touch your systems or data, and we sign a Data Processing Agreement where we act as a processor.

03

Careful data handling

We collect the minimum we need, keep it only as long as required, and delete or return it on request when the work is done.

04

Subprocessor transparency

Any third-party services in the delivery chain are disclosed up front, with their role and location — no silent subcontracting.

(04) Compliance & standards

Aligned to the
frameworks that matter.

01

ISO 27001 alignment

Information security

Our information-security practice is built around the ISO 27001 control set, so risk assessment, access control and asset management are structured, not ad hoc.

  • Documented policies and risk register
  • Access control and asset management
  • Regular internal review
02

SOC 2 readiness

Trust services criteria

We operate to the SOC 2 trust principles — security, availability and confidentiality — and can support clients running their own SOC 2 or vendor assessments.

  • Security, availability & confidentiality controls
  • Change management and monitoring
  • Evidence available under NDA
03

GDPR-compliant practice

Data protection

We handle personal data on a lawful basis, minimise what we collect, honour data-subject requests, and sign Data Processing Agreements where we act as a processor.

  • Data minimisation and retention limits
  • DPAs and processor obligations
  • Regional data residency on request
04

NDAs, DPAs & IP transfer

On every engagement

Contracts protect you first: an NDA before we start, a DPA where relevant, and clean transfer of 100% of the code, designs and IP to you at handoff.

  • Mutual NDA before any access
  • DPA for personal-data processing
  • Full, documented IP transfer
(05) Questions

Trust,
answered.

Request our overview
01 Are you certified?
We operate to recognised standards: our practice is ISO 27001-aligned and built around SOC 2 readiness, and we follow GDPR-compliant data handling. We're happy to share our current posture and controls under NDA, and to support your own audit and vendor-assessment process.
02 Where is my data stored?
Wherever your compliance and latency needs dictate. We build on AWS, Azure and GCP and can pin data to specific regions to meet residency requirements. Access is least-privilege, data is encrypted in transit and at rest, and hosting arrangements are documented in your agreement.
03 Do you sign NDAs and DPAs?
Yes. An NDA is signed before we touch any of your data or systems, and we'll sign a Data Processing Agreement where we act as a processor. All code, designs and documentation, and the IP in them, belong to you.
04 How do you handle security incidents?
We have a documented incident response process: detect and contain, assess impact, notify you promptly with the facts, remediate, and run a blameless post-incident review. Backups and disaster-recovery plans are tested so we can restore service quickly.
Under NDA, on request

Ask us about
security.

Need our security overview, a DPA or answers for a vendor assessment? Tell us what you need and we'll get it to you.

Request our security overview