Security

Security You Can Verify, Not Just Trust

Know exactly where your data goes, who can access it, and how it is processed.

EU & US Residency

AES-256 Encryption

Zero Model Training

GDPR Compliant

Security Status All Clear

Last checked: 09:41 · 25 Feb 2026

Model Training

Enterprise DPA enforced Blocked

Data Retention

Zero retention at model layer None

Data Residency

Infrastructure-level enforcement EU-WEST-1

Encryption

AES-256 at rest · TLS 1.2+ in transit Active

Access Control

Least-privilege · need-to-know basis Enforced

Audit Trail

All actions logged and exportable Enabled

Compliance

DPA available GDPR

7 of 7 checks passing View full security report →

Security and Control by Design

Full audit trail. Full decision traceability. No data ownership transfer.

Pending Approval — INV-2024-089 Pending

VendorCloudCo Ltd

Amount€12,450.00

GL Code6200 — Software

PO Match✓

ApproverCFO

Approve & Post Reject

You Stay in Control

Every agent has clear checkpoints. You decide what gets reviewed, what auto-approves, and where the boundaries sit.

AP Agent — Rules

Approval threshold

If invoice exceeds €10,000, route to CFO for approval

GL coding

If vendor category is SaaS, assign GL code 6200 — Software

Duplicate check

If invoice number already exists for this vendor, reject and notify AP team

Configured to Your Rules

Approval thresholds, coding rules, escalation triggers — captured in plain English and enforced consistently.

Agent Reasoning — INV-2024-089

GL Code: 6200 — Software

Vendor CloudCo Ltd categorised as SaaS. Rule: If vendor category is SaaS, assign GL 6200.

Routed to CFO

Amount €12,450 exceeds €10,000 threshold. Rule: If invoice exceeds €10,000, route to CFO.

PO Matched: PO-2024-089

Matched on vendor name + amount ± 2% tolerance.

Nothing Is a Black Box

For every action, you can see where a value came from, which rule was applied, and why the decision was made.

Data Residency

🇪🇺

EU-WEST-1

Active

🇺🇸

US-EAST-1

Available

Infrastructure-level enforcement · Data never leaves region

Data Ownership and Residency

Encrypted in transit and at rest. Never used for model training. Zero retention at the model layer. EU or US residency. GDPR compliant under DPA.

How We Handle Your Data

Transient processing. No data hoarding. Full transparency.

What We Access

Only the data required to execute the agreed workflow. This may include documents, structured ERP data, email content where inbox automation is enabled, and reference data such as vendor lists or chart of accounts.

How We Process It

Processing is real-time and transient. Data is read in memory to execute rules, classification, or extraction logic. Results are written back to your systems. We do not build secondary databases of customer data.

What We Store

Operational logs only. Timestamps, actions, and outcomes required for audit. No raw email content, document attachments, or bank details are retained. Logs are retained while you are a customer.

Encryption

All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256. No exceptions.

Data Residency

You choose where your data is processed and stored: the European Union or the United States. Residency is enforced at the infrastructure level. Your data does not leave your chosen region.

AI Processing and Data Controls

AI is used for classification, extraction, and reasoning. This is how data is handled during processing.

AI Processing Pipeline

Secure

Your Data

Encrypted

Invoice INV-92020 · VanSpeed · €1,803.49

Sent via TLS 1.2 · AES-256 at rest

↓

LLM Processing

Zero Retention

Enterprise API · OpenAI / Anthropic

No model training · DPA enforced

Data deleted after response · not stored

↓

Result Returned

Verified

GL: 5100 · VAT: 23% · Approval: Dept Head

Written to Xero · Original data not retained

End-to-end encrypted · Zero data retention at model layer

Data Is Transient During AI Processing

No model training on your data

Enterprise data processing agreements prohibit training on customer data.

Zero retention at the model layer

Data is processed for the duration of the API request only. It is not stored after a response is returned.

Enterprise APIs only

Processing occurs through enterprise-tier APIs with contractual data protection commitments.

Questions About Security?

We can provide our DPA, architecture details, and answer questions from your IT or compliance team.

Book a Demo →