Start free

Security and trust

Built for IT.
Signed off by Legal

Your security team should not have to take a sales deck on faith. SOC 2 Type 1, UK GDPR, UK data residency, per-tenant isolation, and a hard line on model training. Here is what we hold, in plain English, with the pack to back it.

Request the security pack See the controls
  • SOC 2 Type 1
  • UK GDPR
  • No model training

The controls

Eight things, before the procurement call.

Every claim on this page is documented elsewhere on the site, in the DPA, or in the security review pack. If a detail is not written down, we do not state it.

  • 01

    SOC 2 Type 1

    Audited by A-LIGN in 2025, covering Security, Availability, and Confidentiality. The report is available to customers and prospects under NDA.

  • 02

    UK GDPR

    Handle Technologies Ltd is UK-headquartered. We process data under UK GDPR with standard contractual clauses and the UK Addendum for any international transfer.

  • 03

    UK data residency

    The Platform runs on Google Cloud Platform. The primary database sits in the London region. The path your data takes is documented, not assumed.

  • 04

    No model training

    Customer data is never used to fine-tune any LLM. Not by us, not by the AI providers we use. Inference only. Their enterprise terms cover this; our DPA codifies it.

  • 05

    Per-tenant isolation

    Company-level isolation. No customer’s data is ever accessible to another customer. A coach on your account cannot see anything from anyone else’s.

  • 06

    Security review pack

    Architecture, the full sub-processor list, and the SOC 2 report sit in one pack. Available under NDA, so your security team can do their job before you sign.

  • 07

    Annual pentesting

    Independent penetration testing runs annually against the Platform. Findings are remediated on a tracked timeline, and the latest report is available to customers under NDA.

  • 08

    SOC 2 Type 2 in flight

    Type 1 covers the design of our controls. Type 2 covers them operating over time, and we are in the observation window now. The completed Type 2 report follows on the standard timeline.

The detail

Three questions every security team asks.

  • Where it sits

    UK-resident, with one honest exception.

    The Platform and primary database run on Google Cloud Platform in the London region. AI provider calls reach US infrastructure under standard contractual clauses and the UK Addendum, the same legal scaffolding every UK SaaS uses for international transfers. We do not hide the exception. We document it. * A US-managed variant is on the way for US customers who need their primary data in-region; talk to us if that is a requirement.

  • Who touches it

    Every sub-processor is named.

    There is no quiet list. The full set of sub-processors, with location and processing detail, lives in Annex 2 of the DPA. We notify customers 14 days before adding a new one, and you get the right to object.

  • What we never do

    Your data does not train anyone’s model.

    No customer data is used to fine-tune any LLM, ours or a provider’s. It is not sold, not shared with other customers, not turned into a derivative product. The coaching runs on inference against your data, and then your data stays yours.

The documents

Read it for yourself.

How we use your data

The plain-English read. What we collect, what we do with it, where it sits, and the things we will never do. No clauses.

Read the data page

Data Processing Agreement

The binding document. Roles, security obligations, sub-processing rules, and the full sub-processor list in Annex 2.

Read the DPA

Security review pack

Architecture, the full sub-processor list, and the SOC 2 Type 1 report. Available under NDA for security and procurement review.

Request the pack

FAQ

Quick answers.

  1. What certifications do you hold?
    SOC 2 Type 1, audited by A-LIGN in 2025, covering Security, Availability, and Confidentiality. We are UK GDPR compliant as a UK-headquartered company. The SOC 2 report is available under NDA.
  2. Where is our data stored?
    The Platform runs on Google Cloud Platform, with the primary database in the London region. AI inference calls reach US infrastructure under standard contractual clauses and the UK Addendum. The full data path is set out in the DPA and the plain-English data page.
  3. Is our data used to train AI models?
    No. Customer data is never used to fine-tune any LLM, by us or by the AI providers that power the coaches. The providers we use commit to the same in their enterprise terms, and our DPA codifies it. Inference only.
  4. Can one customer’s data reach another?
    No. We run company-level tenant isolation. No customer’s data is accessible to another customer. A coach configured for your account cannot see anything from anyone else’s account.
  5. Can our security team review you before we sign?
    Yes. We keep a security review pack: architecture, the full sub-processor list, and the SOC 2 Type 1 report. It is available under NDA so your security or procurement team can do a proper review before any contract.
  6. How do you handle new sub-processors?
    The current sub-processor list lives in Annex 2 of the DPA. Before we add a new one, we notify customers 14 days in advance with details of what it will process, and you have the right to object on data-protection grounds.

Send it to your security team

The review pack covers architecture, sub-processors, and the SOC 2 report. Request it under NDA and let them do a proper review before you commit.

Request the security pack
  • SOC 2 Type 1
  • UK GDPR
  • Per-tenant isolation