Trust, compliance & operations security

Global compliance

Personal and sensitive data processing stays within the boundaries you define. GDPR-aligned practices apply to enquiries and contracted delivery; UK and EU transfers use appropriate safeguards (e.g. UK IDTA / EU SCCs) where applicable.

We describe our posture as SOC 2 ready, controls and evidence mapped to common questionnaire themes so your security team can validate quickly during vendor review.

Secrets & credentials

Provider API keys and operational secrets are stored in a dedicated secrets manager, not scattered in config files. Your security team gets rotation visibility so they know when credentials were last updated.

Network isolation

Customer agent machines join a private mesh with hub-and-spoke access: ops can reach agents for continuity work; agents cannot reach each other. That limits lateral movement if a single runtime is compromised.

Remote operations & session audit

When restoring an agent to last known good state, human operators use secure, browser-based remote access with session audit where agreed. Least privilege, scoped systems only, and actions tied to the platform audit log.

Safety & audit evidence

Safety policies are enforced at the agent and gateway layers, with violations reported into Command Center for review. Operator and system actions are recorded in an immutable audit log suitable for SOC 2 and internal review. See our safety & governance overview for portal reporting and governance features.

Data residency & sovereignty

Your data does not need to leave your chosen sovereign territory for routine continuity work: workloads remain in your cloud or hosting boundary where you require it. We coordinate access, change windows, and logging so residency commitments stay intact.