Skip to content
Security

How we handle security and your data.

Different projects come with different requirements. Before we start we go through what data is involved and what it needs, so it's clear to everyone what applies.

  • Data inside the EU when required
  • No models trained on your data
  • Security level chosen together

How we think about security

Your data stays yours

We don't train models on your data and we don't move it further than the work requires. What we can access is written down before we start.

The right level for the job

An internal prototype and a system with personal data need different protection. We choose the level together with you and build to it.

EU when the data requires it

When contracts or GDPR set requirements, both data and AI inference stay inside the EU, or entirely in your own environment.

Two ways we work

Most of what we deliver runs in one of two setups: everything inside the EU, or everything in your own environment. We pick one together before we start building.

Level 2How we work

Everything inside the EU

Data, storage and AI inference run with providers inside the EU, with security on par with Microsoft 365. This covers most businesses, including GDPR-sensitive data.

ExampleAn internal assistant that answers questions from your contracts and documents. The documents are stored in the EU and never used to train models.

Level 3How we work

Everything in your environment

The whole system runs on a physically secured server at your premises, and the AI models run locally. No data leaves the building. A bigger investment up front, but full control.

ExampleBusinesses where data may not leave their own infrastructure, such as healthcare, banking and other regulated industries.

For prototypes and early tests

Level 0 · Fast prototype A demo without sensitive data, built to get something clickable fast. Usually with made-up test data.

Level 1 · Fast but orderly Login and permissions in place, but traffic may run through US providers. For internal tools without sensitive data.

How we build

This applies to everything we build and maintain, whichever level we land on.

All traffic is encrypted

Everything sent between you, the system and the AI services runs over TLS.

Access per person

Only the people working on your project can reach your environment, always behind two-factor sign-in. When the project ends, access is shut off.

Keys outside the code

API keys and passwords live in locked vaults, never in the code or in an email.

Systems kept up to date

In systems we maintain, we update dependencies and platforms continuously, not just when something breaks.

Data handling in plain language

Before we start, we write down what data is involved, where it is stored and who can access it. Then this applies:

  • We only keep the fields the workflow actually needs.
  • If we process personal data on your behalf, we sign a DPA.
  • Retention and access are agreed before launch, not after.
  • When a project ends, we hand over or delete everything we have had access to.

More questions about security

Get in touch if you want to go through what this would look like in your case, and we'll take it from there.

Contact us