We treat your data with the same rigour we bring to engineering â privacy by design, security by default, transparency always.
Our data protection practices align with major global privacy regulations and standards.
EU General Data Protection Regulation â full compliance for EU/EEA data subjects including lawful basis documentation and DPA agreements
Digital Personal Data Protection Act â data principal rights, consent framework, and data fiduciary obligations
Health Insurance Portability and Accountability Act â for healthcare client engagements involving PHI/ePHI
Payment Card Industry Data Security Standard â for projects handling cardholder data in fintech and e-commerce
International information security management standard â our infrastructure and processes are aligned to ISO 27001 controls
Trust Service Criteria for security, availability, and confidentiality â our cloud operations are SOC 2 compliant via AWS and GCP
Seven foundational principles that govern how we handle personal and client data.
We only process personal data where we have a valid legal basis (consent, contract, legal obligation, or legitimate interest), and we are always transparent about what data we hold and why.
Personal data is collected for specified, explicit, and legitimate purposes. We never use it in ways incompatible with those purposes.
We collect only the data that is necessary for the stated purpose. If a project can be delivered with less data, we use less data.
We take reasonable steps to keep personal data accurate and up to date. Data subjects can request correction of inaccurate records at any time.
We retain personal data only for as long as necessary and have documented retention schedules for all data categories. Data is securely deleted or anonymised when retention periods expire.
We use AES-256 encryption at rest, TLS 1.3 in transit, strict access controls, and regular security audits to protect data against unauthorised access, loss, or destruction.
We maintain records of processing activities, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, and appoint a Data Protection contact for all privacy queries.
As a data subject, you have the following rights over your personal information. We respond to all requests within 30 days.
Request a copy of the personal data we hold about you
Request correction of inaccurate or incomplete data
Request deletion of your data where no legal basis for retention exists
Receive your data in a structured, machine-readable format
Object to processing based on legitimate interests or direct marketing
Request that we limit processing in certain circumstances
Withdraw consent for consent-based processing at any time
Lodge a complaint with your national data protection authority
The technical and organisational measures we use to protect your data.
AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Encrypted backups with offsite storage.
Role-based access (RBAC) with least privilege. Multi-factor authentication enforced for all team members. Privileged access reviews quarterly.
Annual penetration testing by independent security firms. Continuous vulnerability scanning. SIEM-based threat monitoring.
Automated daily backups with 30-day retention. Cross-region replication. RTO < 4 hours, RPO < 1 hour for critical systems.
All data classified as Public, Internal, Confidential, or Restricted. Handling procedures defined for each classification level.
Documented data breach response plan. Breach notification within 72 hours to regulators. Affected individuals notified without undue delay.
Contact our data protection team for any privacy requests, DPA agreements, or compliance questions.