How We Work with Your Data

When we build inside your business, we touch real data, real accounts, and real systems. That’s the point. AI that works in theory but never connects to your actual operations is just another demo.

But “real access” means real responsibility. Here’s exactly how we handle it.

Every automation we build is designed for human review before it acts. No agent publishes content, changes ad spend, sends emails, or modifies live systems without a human approving it first.

If we’re building something that could touch a production system, we get written approval before we configure it. Not after.

We use a Background/Foreground IP model. In plain terms:

• Your data, your configs, your reports: yours. Always. Even if we built them for you.
• Our reusable frameworks and tools: ours. But you get a permanent licence to use and modify them in your business.

When the engagement ends, you keep everything we built for you. We delete our local copies. Your systems, your data, your IP.

We use AI tools (code assistants, language models, automation platforms) as part of how we work. Here’s what matters:

• No client PII in AI prompts. We do not send your customers’ names, emails, payment details, or personal data to external AI services unless you explicitly agree in writing.
• Anonymised and aggregated where possible. When we use AI for analysis or drafting, we strip or aggregate data first.
• Training opt-outs enabled. Where AI providers offer the option, we opt out of having engagement data used for model training.
• Commercial tiers only. We use paid, enterprise-grade tools with contractual data handling commitments, not free-tier services.

If you want the full list of tools and exactly what data touches what, we provide that in a signed AI and Data Processing Addendum as part of every engagement.

Every API key, token, and password is stored in a dedicated secrets manager (encrypted, access-controlled, auditable). Nothing gets committed to a code repository. Nothing gets pasted into a chat. Nothing gets shared in a document.

When the engagement ends, we rotate every shared credential and revoke our access.

If we become aware of a suspected or confirmed security incident affecting your data, we notify you within 48 hours. The notification includes what happened, what data was affected, what we’ve done about it, and what you should do.

We don’t wait until we have the full picture. We tell you what we know, when we know it.

Every engagement includes:

• A Mutual NDA signed before we see anything sensitive.
• A Consulting Services Agreement covering IP, liability, confidentiality, and security obligations.
• A Statement of Work defining exactly what we’re building, what it costs, and what “done” looks like.
• A Security and Governance schedule documenting data classification, access controls, credential management, and offboarding procedures.
• An AI and Data Processing Addendum (on request) listing every tool category, what data it touches, and what controls are in place.

We don’t rely on trust. We document it, sign it, and hold ourselves to it.

If you have specific questions about how we handle data, what tools we use, or what our security practices look like, reach out. We’d rather answer the hard questions upfront than have them become problems later.