Trust / Security & data
Confidentiality is architecture, not a promise.
A policy document tells you what a supplier intends. Architecture tells you what is possible. GRABS builds separation, ownership and revocation into how every team is constructed, so the confidentiality a law firm, an accountancy or a bank needs is a fact you can inspect, not an assurance you extend.
Per-client isolation
One client never touches another. Each engagement runs in its own isolated environment, and nothing learned, stored or processed for one client is visible to, or reused for, any other. Separation is a property of the architecture, not a clause in a policy.
Least-privilege access
GRABS workers use their own scoped identities, never your credentials. Each identity carries only the access the job spec requires, so there is no shared password to rotate, no standing access to audit away after the term, and every action is attributable to the worker that took it.
You own the data
Your data is yours throughout, and so is everything built on it. The vault, the playbooks, the trained processes and the attestation records are the client's property, in full, from the first day of the engagement to the last. At the end of the term, or on request, your data is handed back or deleted. You decide what is kept.
The vault is portable
The vault is the team's personnel file: your context, voice, access and compliance rules, structured and governed. At handover it leaves with you, which means every engagement makes your business permanently more capable, whether or not the relationship continues.
Every action logged and attributable
Every action a worker takes is logged with the identity that took it, including every access to the vault. The record is compliance-grade, it belongs to you, and it survives the engagement, ready for your auditor before they ask.
The sixty-second switch
If trust breaks, access ends in sixty seconds. Revocation is enforced in code across every identity the team holds, with no notice period. Revocation this fast is itself a security control.
Data protection and GDPR.
UK and EU GDPR
Engagements are run to UK and EU GDPR. We act as your processor, under your instructions.
A data processing agreement
A DPA is signed as part of the contract, setting out purpose, handling and the term.
Data-subject requests
Access, correction and erasure requests are supported and logged.
Encrypted in transit and at rest
Data is encrypted moving to and from the worker, and while it is stored.
The security strip, verbatim
- Per-client isolation. One client never touches another.
- The AI worker's own identities, never yours.
- A sixty-second sacking switch.
- Every action logged and attributable.
Put the questions to us directly.
A scoping call walks your compliance or IT lead through isolation, identities, logging and the vault, against your own requirements.
Book a scoping call