Security & data handling
The short version, in the open.
Most of our security detail lives in a pack we share under NDA. The principles behind it don't need to. Here's how we handle your data, on one page, before you've signed anything.
How we work with your data.
01
UK data residency by default
Your data stays in the UK unless you ask otherwise. We're a UK team in Leamington Spa, working UK hours, and we keep client data inside UK jurisdiction by default.
02
ISO 27001 aligned
We work to ISO 27001-aligned controls across access, change management, and data handling. We are not claiming certification — we are telling you the standard we hold ourselves to, and we will walk you through the detail under NDA.
03
You own the code
Whatever we build is yours — the code, the models we configure, the data and the pipelines. No lock-in to us as a vendor, no per-seat licence on your own system.
04
Human oversight, by design
The systems we ship assist and draft; a person stays in the loop on anything that carries consequences. Confidence thresholds and review steps are built in from day one, not bolted on after.
Where we've delivered
Built for regulated sectors.
We've shipped production systems into financial services, legal, and healthcare — sectors where getting data handling wrong has consequences beyond a bad demo. That work shapes how we build everywhere else.
When a build touches privileged or regulated data, we can keep it inside your network: self-hosted embeddings, a vector store on your own infrastructure or private cloud, and nothing sensitive leaving the perimeter. Where regulators or insurers need it, we design in an audit trail — every query, retrieved passage, and model response logged and reviewable.
This website
What this site itself collects.
- The contact form delivers your enquiry to our inbox via Google Apps Script. We don't sell or share it.
- Analytics and measurement (Google Analytics 4, LinkedIn Insight Tag) only load if you accept the cookie banner. Reject, and nothing loads.
- Full detail is in our cookie policy and privacy policy. A security contact is published at /.well-known/security.txt.
Due diligence
The full pack, under NDA.
If you're seriously evaluating us, we'll share the rest under NDA: our security posture in detail, data handling notes, the delivery approach, and client references. Ask on your discovery call, or email hello@appoly.co.uk.
Twenty minutes. No deck.
A short call first. We'll talk through what you're looking at, give you an honest read on whether AI fits, and roughly what it would cost to find out properly.