Skip to main content
Trust & Security

The page you hand to procurement.

Everything you need to know about how we handle data, where it lives, and what we're certified for — in one place.

Data residency

Where your data lives.

Default: EU residency. All agents run on Claude (Anthropic) via AWS Bedrock with an EU-only geographic inference profile. Prompts and completions never leave the EU geographic boundary — AWS contractually guarantees this. Protected under Anthropic's HIPAA-ready enterprise Business Associate Agreement.

Optional: UK-only residency. For customers who specifically require data to stay within the UK — typically NHS Integrated Care Boards, larger care groups, or local authority-commissioned services with strict procurement requirements — we offer deployment on Azure OpenAI in the UK South region. Available as a premium enterprise add-on on request.

Data handling

What we never do.

  • ×
    Train AI models on your data. Zero data retention. Prompts and completions are not stored beyond the duration of the request and are never used to train or fine-tune any model.
  • ×
    Share data between customers. Per-customer tenant isolation. Your data is logically and operationally separated from every other customer.
  • ×
    Process data outside agreed boundaries. EU by default, UK on request. No exceptions. No “sometimes it routes through the US for performance” caveats.
  • ×
    Skip the human. Every agent output is a draft. A registered manager or appropriate qualified person reviews and approves before anything is finalised. Human-in-the-loop is a design principle, not an afterthought.
Security practices

What we do.

  • Audit logging. Every agent interaction is logged in a UK-region log store. Exportable for CQC inspections, internal audits, or safeguarding reviews.
  • Tenant isolation. Per-customer data separation. No shared databases, no shared model contexts.
  • Data Processing Agreement. Per-customer DPA under UK GDPR, with explicit Article 9 lawful basis for processing special category health data.
  • DPIA template. We provide a pre-filled Data Protection Impact Assessment template you can drop into your own records. Available on request.
Subprocessors

Who touches your data.

Anthropic (via AWS Bedrock)

AI model provider — default deployment

Claude models accessed via AWS Bedrock EU inference profile. EU data residency. Zero data retention. HIPAA BAA in place.

Amazon Web Services

Cloud infrastructure — EU region

Hosting, compute, and Bedrock inference. EU-only geographic boundary. Standard AWS data processing addendum.

Microsoft Azure

Optional — UK South region, enterprise customers only

Azure OpenAI deployment for customers requiring UK-only data residency. Available on request as a premium enterprise add-on.

Certifications

Where we are honestly.

We only claim certifications once achieved. Here's where we stand:

  • NHS Data Security and Protection Toolkit — working towards “Standards Met” this cycle
  • Cyber Essentials Plus — in progress
  • ISO 27001 — planned within 12 months

This page will be updated as certifications are achieved.

Get in touch

Questions about security?

To request our DPA, DPIA template, or discuss security requirements for your organisation:

hello@nimblecroft.com

We reply to security enquiries within one working day.