We are a consultancy, not a platform — so the security story is not about our software. It is about how we vet the AI partners we recommend, how we contract them on your behalf, how we build the integration that connects them to your systems, and how we leave the whole thing aligned with the ISO 9001, 14001 and 45001 posture you already hold. This page tells you what’s in place today, what’s in flight, and where we’ll be next year.
Programme in flight. Type I attestation expected Q3 2026; Type II observation period running through 2026.
Information security management system scoped. Certification audit planned H1 2027.
Standard DPA template available pre-signature. UK data residency by default; EU regions on request.
Certified. Renewed annually. The baseline UK assurance most FM tenders specify.
TLS 1.3 between every component. AES-256 at rest in customer regions. Per-tenant encryption keys. Customer-managed keys (BYOK) available on Enterprise — revoke a key, revoke access, immediately.
SAML 2.0 and OIDC SSO available on all paid tiers. SCIM provisioning. Role-based access control with workspace isolation. MFA enforced for all administrative actions.
OAuth or service-account scoping per system — we only read and write the fields you explicitly approve. Field-level redaction at the integration boundary for PII and commercial data. Specialist SaaS security partners harden each connector.
Tamper-evident audit log of every read, write, and human review action — with the prompt, the model, the operator and the affected records. Streamed to your SIEM on Enterprise. One-click rollback on writes.
Customer data is never used to train any model, ours or a third party’s. Default retention is 30 days for debugging, configurable down to zero on Enterprise. Models can be pinned to zero-retention provider endpoints.
24/7 on-call rotation. Customer notification within 24 hours of confirmed incident. Quarterly tabletop exercises. Status page at status.sticklebrick.com. Post-mortems published for any P0 / P1 event.
You approve which fields Sticklebrick can read and write — per system, per workspace. Nothing else is exposed.
PII, commercial fields and customer identifiers are masked at the source side of the integration before they leave your perimeter.
TLS 1.3 with certificate pinning between the connector and the platform. Outbound calls only — never callbacks into your network.
Every write is logged with a one-click reverse. High-stakes writes (customer comms, financial postings) require human approval by default.
Every event is hashed into the tamper-evident audit log and streamed to your SIEM in near real time.
A current list of third parties that may process customer data on our behalf. We’ll notify customers in writing 30 days ahead of any addition.
| Provider | Purpose | Region | Certifications |
|---|---|---|---|
| Amazon Web Services | Application hosting, primary storage | UK (eu-west-2) | SOC 2 · ISO 27001 · UK G-Cloud |
| Anthropic | Foundation model inference (zero-retention) | EU / US | SOC 2 · zero retention |
| OpenAI | Foundation model inference (zero-retention) | EU / US | SOC 2 · zero retention |
| Datadog | Observability and performance monitoring | EU (Frankfurt) | SOC 2 · ISO 27001 |
| Stripe | Billing and invoicing | UK / EU | SOC 2 · PCI DSS L1 |
| Okta (Auth0) | Identity and SSO | EU (Frankfurt) | SOC 2 · ISO 27001 |
Last reviewed · May 2026 · Subscribe to changes at security@sticklebrick.com
Customer data is pinned to a single region per tenant. UK is the default; EU regions are available on request. Cross-region transfer requires explicit customer opt-in — we won’t move your data without telling you first.
For regulated buyers, we can deploy into your own VPC so that customer data never leaves your network at all, with the platform running as a private deployment under your encryption keys.
Default region. UK GDPR compliant. All customer data, audit logs and backups remain in-region.
EU residency option. Same security posture, GDPR adequacy decision applies.
Private deployment inside your AWS / Azure / GCP account. Customer-managed keys, your network, your logs.
Pre-prepared answers to your CISO questionnaire, our DPA template, a current sub-processor list, a network diagram, and the most recent penetration-test summary. NDA available on request.
The fastest way to evaluate Sticklebrick is the 10-minute data readiness assessment, followed by a 20-minute working call. We’ll tell you straight what we can connect and what we can’t.
