Security.

For bespoke engagements, we build your system on infrastructure you own. You sign up for the hosting accounts, pay for them directly, and hold the keys. We get operator access the same way an outside developer works with any internal team. You can revoke it at any time, from your own admin panel.

The practical effect: if you ever stop working with us, there is nothing to migrate. The code is yours, the data is yours, the infrastructure is yours.

For our productised tools, the scope is narrow enough that we host a per-client instance ourselves, with a clear deletion clock at retainer end. You will know which model applies before you sign anything.

Your data is stored in UK or EU regions of our cloud providers (Supabase, Vercel, Railway). US regions are only used on written request, never as a default. This is flagged and agreed in the scope of work for every engagement.

We use Claude, Anthropic’s AI model, under its published Commercial Terms. Three things matter here.

No training use. Your data is never used to train Claude models.

30-day retention. Inputs and outputs are kept by Anthropic for up to 30 days to detect misuse, then deleted.

Published DPA. Anthropic maintains a Data Processing Agreement covering its role as our sub-processor. We reference it in every client DPA.

We do not touch production data without a Data Processing Agreement in place. Ours is aligned to UK GDPR Article 28. It lists the sub-processors we use (Anthropic for AI, Supabase for storage, Vercel and Railway for hosting, Bitwarden for credentials), the data residency commitment, and the retention and deletion timelines.

If your compliance lead has questions or wants changes, we work through them at scope-of-work stage. We would rather have that conversation up front than discover a blocker mid-build.

Any credentials we hold on your behalf during an engagement live in Bitwarden, our credential vault. They are encrypted at rest and access is restricted to the operator of the firm. When the retainer ends they are rotated, by you or by us with your sign-off.

Every engagement has a defined exit runbook.

Within 48 hours: our operator access is removed from every one of your systems. You receive written confirmation.

Within 7 days: any credentials we were holding are rotated.

Within 14 days: any copies of your data in our development environment are deleted. You receive written confirmation.

Within 30 days, productised tools only: production data on our hosted instance is purged or transferred back to you.

You do not have to ask. This is how every engagement ends.

A suspected breach, a credential leak, a system compromise: you hear from us within 24 business hours of discovery. Your named contact gets a direct call or SMS, followed by a written summary. If the incident is a personal-data breach under UK GDPR, we support you as the data controller through the 72-hour ICO notification window.

We are a small firm, not a 24/7 on-call service. The response is best-effort across business hours and evenings, not a round-the-clock SLA. For the scale of the systems we build, that is the right level. If your use case needs round-the-clock cover, we will tell you we are not the right fit.

We do not claim ISO 27001 certification, Cyber Essentials Plus, or SOC 2. Those frameworks are built for larger operations. We operate in alignment with UK GDPR, the Data Protection Act 2018, and Cyber Essentials guidance, but we do not hold the certifications and we do not pretend otherwise.

If you specifically need a certified vendor, we will tell you we are not the right fit.

If you are evaluating Atlas Strategy and want to dig into any of this, email contact@atlasstrategy.co.uk with “Security” in the subject. The detailed client whitepaper and DPA are available at proposal stage. See also our privacy policy.