Security & trust

Quietly reliable. By design.

We treat security the way we treat uptime. Invisible when it works, catastrophic when it doesn’t. Here’s how we set up every engagement to keep it the first kind.

Your data stays in your systems.

We don’t copy your production data to our laptops or servers. The automations we build run inside your accounts: your Zoho, your QuickBooks, your cloud, your storage.

Only the access we actually need.

Every automation runs with the smallest permissions it needs to do the job. We write down what each part touches, why, and we agree it with you before anything goes live.

Customer data, handled carefully.

Customer information gets isolated, logs get redacted, and we keep a clear map of what data each automation sees. We’ve worked inside healthcare, finance and government workflows where this isn’t optional.

Every action, logged.

Every decision an automation makes (what it read, what it did, what it skipped) is recorded in a tamper-evident audit log. If something goes wrong, you can always answer ‘what happened?’

A human for the important moments.

Moving money, sending contracts, mailing customers: every high-stakes action has a checkpoint where a person on your team has to say yes.

Ready for the day something breaks.

On-call rotation, written runbooks, and a documented rollback for every automation. We design for the bad day, not just the happy path.

How a system goes live

The same five steps for every project, big or small.

Whether we’re building a five-person back-office tool or a system that touches every customer, the safety steps don’t change.

Before we build

Map the data, agree the access

Before we write a line of code, we agree on what data each part of the automation needs to see, and what permissions it needs to do its job.

While we build

Reviewed and scanned

Every code change is reviewed by another engineer and scanned for security issues and accidentally committed secrets before it reaches anything live.

Before go-live

Tested end-to-end

We run the automation against real-world examples and edge cases until we’re confident it does the right thing, and the safe thing, every time.

Once it’s live

Watched and audited

Live logs, automated alerts when something looks off, and a quarterly access review with your team to confirm only the right people and systems are touching things.

When something goes wrong

Honest write-ups

Every incident gets a written explanation: what happened, why, what we changed. We share it openly with you, not after a comms team has cleaned it up.

Frameworks we align with

The standards we build to.

We’re not a certified compliance vendor, but we ship inside teams that need to be, and we set every engagement up the same way.

SOC 2

HIPAA

GDPR

ISO 27001

PCI DSS

UAE PDPL

Tools we use, and what they see

The default list. Your build may use fewer.

Every automation we deploy ships with a clear list of the tools underneath it, and what data each one can touch.

AWS / Google Cloud / Microsoft Azure

Where automations run. Your cloud account, your encryption keys.

OpenAI / Anthropic / Google AI

AI that reads documents and makes decisions. Zero-retention API agreements where required.

Postgres / Supabase

Where structured data lives, typically inside your own account.

Make / n8n / Temporal

Workflow runtimes, self-hosted in your environment for sensitive data.

Sentry / OpenTelemetry

Error tracking and traces, with sensitive data scrubbed automatically.

GitHub

Where the code lives. Your repo or ours, your call.

// next_step

Security questions? Send them over.

We’ll share our security policy, a sample data map and a recent pen-test summary on request, under NDA when needed.

book_discovery_call hello@agentictechautomations.com