Security & Compliance

Built for regulated industries from day one — not retrofitted before launch.

Infrastructure Security

Zero Public Data Exposure

All data stores — database, object storage, secrets — use private endpoints only. No public internet access to your data.

  • Database: Private endpoint, TLS 1.2+, encryption at rest
  • Storage: Private endpoint, immutable backups, 30-day soft delete
  • Secrets: Azure Key Vault with RBAC, 90-day retention, purge protection

Web Application Firewall (WAF)

Azure Front Door Standard with custom rules in Prevention mode

  • Rate limiting: 100 requests/min per IP
  • Auth endpoints: 5 requests/15min
  • Blocks malicious user agents
  • Blocks sensitive paths (.env, .git)

Network Security

  • VNet isolation with Network Security Groups
  • Private DNS for internal name resolution
  • TLS 1.3 on applications
  • Managed Identity (no connection strings)

Application Security

Authentication

  • Microsoft Entra External ID (CIAM)
  • Multi-factor authentication (MFA)
  • No passwords stored — SSO only
  • JWT with short-lived tokens

Access Control

  • Role-Based Access Control (RBAC)
  • Workspace-level permissions
  • Agent approval workflows
  • Least privilege by default

Data Protection

  • PII detection in agent executions
  • IP address anonymisation in logs
  • Sensitive data redaction
  • GDPR-compliant retention (30 days)

Compliance & Certifications

Audit Readiness

  • ISO 27001: 10/10 control areas implemented (roadmap)
  • SOC 2 Type II: All Trust Services Criteria met (roadmap)
  • Cyber Essentials Plus: 5/5 controls implemented
  • NHS DSPT: IT Protection Level 3

GDPR Compliance

  • Data Protection by Design (Art. 25)
  • Records of Processing (Art. 30)
  • Security of Processing (Art. 32)
  • Breach Notification Capability (Art. 33)
  • Data Subject Rights Support

Audit & Monitoring

Full Audit Trail

  • Every agent execution logged
  • User actions tracked (who, what, when)
  • Version control for all agents
  • 90-day security log retention
  • Tamper-proof audit logs

Threat Detection

  • Microsoft Defender for Cloud (4 services)
  • Real-time security alerts
  • Authentication event monitoring
  • WAF block notifications
  • Compliance dashboard & reporting

Business Continuity

Data Redundancy

  • Geo-redundant storage (GRS)
  • UK West → UK South replication
  • Automatic failover capability

Backup & Recovery

  • 30-day soft delete (storage)
  • 90-day soft delete (secrets)
  • Blob versioning enabled

Availability

  • Auto-scaling (1–5 replicas)
  • Health monitoring & probes
  • 99.9% SLA (Enterprise tier)

Questions about our security?

We're happy to discuss our security posture, provide additional documentation, or complete your security questionnaires.

Book a DemoContact Security Team