Security
Privacy and control are why we exist.
Real at every layer. Every customer. Every deployment.
Architecture
Built on zero trust. Not bolted onto it.
01
Zero-trust by default
Every request authenticated by user, device, and source. No implicit trust based on network location.
02
Source-level access controls
Permissions flow from your IdP. Users only retrieve documents they're authorised to see.
03
Full auditability
Every prompt, retrieval, and admin change is logged. SIEM export on Secure Department and above.
04
Data stays where you decide
Cloud, hybrid, or on-prem. We never process client data on shared infrastructure.
Compliance
Designed for regulated environments.
UK GDPR / GDPR
Purpose limitation, data minimisation, individual rights.
HIPAA
BAA support. Secure Department and above meet HIPAA requirements.
Contractual controls
On-prem and hybrid satisfy professional service firm obligations.
Audit logging
Comprehensive trails. Configurable retention. SIEM export.
Data residency
Compute in your required jurisdiction or your own infrastructure.
Customer-managed encryption
Manage your own keys. Key rotation as an add-on.
Default controls
Standard on every deployment.
Data leakage
Source-level ACLs, isolated workspaces, least-privilege retrieval, prompt logging.
Stale or inaccurate responses
Indexed-source citations, sync scheduling, human review for external-facing outputs.
Automation side effects
Write-back starts read-only. Requires explicit allowlists, approval steps, and audit.
Compliance design mismatch
Security questionnaire and audit export configured before go-live on regulated deployments.