Security
Single-tenant by design
Every CompleteFlow deployment runs in its own isolated environment. No shared databases, no shared model endpoints, no shared inference, no multi-tenant SaaS. Deploy in your own cloud tenancy, on your own hardware, or in a dedicated instance we operate for you.
Single-tenant deployment
Every customer gets an isolated environment. No shared databases, no shared application instances, no shared model endpoints. Deploy in your own Azure, AWS, or GCP tenancy, on your own hardware, or in a dedicated instance we operate exclusively for you. There is no multi-tenant SaaS option, because regulated work cannot share infrastructure with another customer.
Data residency
Your data stays where you need it. UK, EU, or whichever region your compliance framework requires. No data leaves the region you choose. Logs, vector indexes, prompt caches, and model endpoints all sit inside the same boundary.
Zero-training model access
CompleteFlow connects to Anthropic and OpenAI through their commercial API tiers, which exclude customer data from training. Anthropic's commercial terms make this explicit. OpenAI's API has done the same by default since March 2023. For Azure OpenAI deployments, requests stay inside your Azure tenancy and are never accessible to OpenAI. Your prompts, documents, and outputs are never used to improve any foundation model.
Encryption and key management
AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Encryption keys are held in your own Azure Key Vault or AWS KMS instance. CompleteFlow has no access to your keys and no ability to decrypt your data outside the runtime you control.
Responsible AI principles
Every AI decision includes a reasoning trace. Configurable approval gates route high-risk actions to human review before they take effect. Output logging supports bias review, audit, and post-hoc analysis. No black boxes: you can inspect, explain, and audit every agent decision.
Per-user identity and access
Agents act on behalf of the user who initiated the workflow, using that user's permissions through delegated OAuth (Microsoft Entra ID, Okta, or similar). Agents do not have their own credentials to backend systems. A user who cannot see a matter cannot trigger an agent to see it either.
Penetration testing and vulnerability management
Annual third-party penetration testing by CREST-accredited providers. Continuous vulnerability scanning across all platform components. Responsible disclosure programme for security researchers. Findings tracked through the vulnerability management process documented in the trust centre.
GDPR and UK GDPR
Data processing agreements for every deployment, data minimisation by design, right to erasure support, data portability, breach notification procedures within the 72-hour window, and a designated Data Protection Officer. Cross-border transfer risk is mitigated structurally by deploying within the UK or EU region of your choice.
SOC 2 Type II readiness
CompleteFlow implements the SOC 2 Trust Service Criteria controls: access management with role-based permissions, continuous monitoring and alerting, change management with audit trails, incident response procedures, and vendor risk management. Formal SOC 2 Type II certification is on the roadmap.
ISO 27001 roadmap
We are working toward ISO 27001 certification. The information security management system (ISMS) follows ISO 27001 controls covering risk assessment, access control, cryptography, operations security, and supplier relationships. The supporting policies are published in the trust centre.
Security FAQ
Where is customer data stored? +
You choose the deployment region. Most UK customers run CompleteFlow in Azure UK South or AWS eu-west-2. Data never leaves the region you configure. For on-premises deployments, data stays inside your network entirely.
Who holds the encryption keys? +
You do. CompleteFlow integrates with Azure Key Vault and AWS KMS so encryption keys are owned, rotated, and revoked by your security team. CompleteFlow staff have no access to your keys or the data they protect.
Is customer data used to train AI models? +
No. CompleteFlow connects to Anthropic and OpenAI through their commercial API tiers, which exclude customer data from training. For Azure OpenAI deployments, data stays inside your Azure tenancy. Open-weight models run inside your environment and never transmit data to any third party.
How does CompleteFlow approach SOC 2 and ISO 27001? +
CompleteFlow implements the SOC 2 Trust Service Criteria controls (access management, monitoring, change management, incident response, vendor risk) and is working toward ISO 27001 certification. The information security management system follows ISO 27001 controls and is documented in the trust centre.
How does the platform support GDPR and UK GDPR? +
Data processing agreements for every deployment, data minimisation by design, support for the right to erasure and data portability, 72-hour breach notification procedures, and a designated Data Protection Officer. Cross-border transfer risk is mitigated by deploying within UK or EU regions of your choice.
What does penetration testing and vulnerability management look like? +
Annual third-party penetration testing by CREST-accredited providers, continuous vulnerability scanning across platform components, and a responsible disclosure programme for security researchers. Findings are tracked through the firm-grade vulnerability management process documented in the trust centre.
Can our CISO review the architecture? +
Yes. The full architecture, data flow diagrams, identity model, and security controls are documented in the trust centre. We will walk security teams through specific concerns and provide the documentation required for vendor onboarding.
Looking for our security policies and trust documents? See the trust centre for the information security policy, data protection policy, incident response plan, and supplier management policy.
Questions about our security posture?
We're happy to walk your CISO or security team through our controls, provide our security documentation, and discuss your specific requirements.
Get in Touch