Data Security & Compliance

All client data is stored on enterprise-grade US-based cloud infrastructure, specifically Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure, depending on the specific tools and integrations used.

• Data centres are SOC 2 Type II and ISO 27001 certified
• Geographic redundancy ensures high availability and disaster recovery
• All data is encrypted at rest using AES-256 encryption
• Data in transit is protected with TLS 1.3 encryption

For UK and EU clients, we ensure compliance with international data transfer requirements through appropriate safeguards including Standard Contractual Clauses (SCCs) and adherence to the UK-US Data Bridge framework where applicable.

We implement strict access controls to protect your data:

• Role-based access control (RBAC) - Team members only have access to data necessary for their specific role
• Multi-factor authentication (MFA) - Required for all system access
• Principle of least privilege - Access permissions are minimised by default
• Regular access reviews - Permissions are audited quarterly and upon role changes
• Audit logging - All data access is logged and monitored for anomalies

Client data is logically separated, ensuring your information is never accessible to other clients or unauthorised personnel.

We maintain clear policies on how long we keep your data:

• Active client data - Retained for the duration of our engagement plus a reasonable wind-down period
• Lead generation campaign data - Prospect data is retained only as long as needed for active campaigns
• Upon contract termination - Client data is deleted within 90 days unless a longer retention is legally required or specifically requested
• Right to deletion - You can request deletion of your data at any time, subject to legal retention requirements

We provide written confirmation of data deletion upon request. Backups are purged according to our retention schedule, typically within 30 days of primary data deletion.

Our AI systems operate with the following safeguards:

• AI processing uses industry-standard APIs with enterprise data protection agreements
• Prompts and outputs are not stored by AI providers beyond immediate processing
• We use providers that offer explicit opt-out from model training (e.g., OpenAI API, Anthropic)
• All AI-generated content is reviewed before client delivery

The AI tools we use for lead generation and workflow automation (such as Instantly, Smartlead, and similar platforms) process data only for the specific tasks you engage us for, with no secondary use of your information.

We comply with applicable data protection regulations including:

• UK GDPR - Full compliance with UK data protection requirements
• EU GDPR - For European Economic Area data subjects
• CAN-SPAM Act - US email marketing compliance
• CASL - Canadian Anti-Spam Legislation compliance

For details on our email outreach compliance approach, please see our Email Outreach Compliance page.