Legal · Cybersecurity

Cybersecurity Policy

Last updated: 15 June 2026

Purpose

This policy describes how Deliverance AI Limited protects the confidentiality, integrity, and availability of information across our business and our platform. It is intended to give customers, partners, and regulators a clear, accurate statement of our cybersecurity posture, and to set the expectations that all staff must meet. It sits beneath our top-level Information Security Policy and summarises the controls operated under our Information Security Management System (ISMS).

Scope

This policy applies to all information assets owned or processed by Deliverance AI, all staff and contractors, all corporate and production systems, and all third parties who access our systems or data. It covers our remote-first corporate environment and the Deliverance AI platform delivered to customers.

Our security model

Security, compliance, and sovereignty are structural properties of how our platform operates, not checks applied after deployment. Our customer-facing security model is built on four principles of trust:

  • Your Data.Customer-sovereign deployment into the customer's own environment, no shared tenancy, and no customer or inference data used to train models.
  • Your Environment. A model-agnostic gateway with no single-vendor dependency, and full real-time visibility of tokens, tool calls, and cost events.
  • Your Control. Real-time kill-switch authority over any agent, workflow, or model, deterministic rollback, and structurally cascaded governance in which no tier can escalate its own permissions.
  • Your Jurisdiction. UK-founded and UK/EU-headquartered, outside the reach of the US CLOUD Act, with data residency controlled by deployment mode.

Platform security is organised across three dimensions: security by AI (threat detection, anomaly monitoring, access-pattern analysis, automated response); security of AI (prompt-injection defence, data-poisoning protection, memory isolation, model-extraction defence); and security of usage (PII redaction, output filtering, policy enforcement, and data-loss prevention).

Email trust@deliverance.ai for further detail of our internal control framework and its mapping to recognised standards.

Governance and accountability

The Chief Information Security Officer owns the ISMS and is accountable for information security across the company. Security roles and responsibilities are defined in our Information Security Roles and Responsibilities documentation and overseen through management review. All staff are responsible for complying with this policy and for reporting security concerns promptly.

Information Security Management System

We operate an Information Security Management System certified to ISO/IEC 27001:2022. The ISMS defines our scope, risk methodology, Statement of Applicability, and a full set of supporting policies, including access control, cryptography, data classification, operations security, secure development, supplier security, and physical and environmental security. Controls are reviewed at least annually and following significant change.

Risk management

We identify, assess, and treat information security risks through a documented risk assessment and treatment process. Risks are recorded in our risk register with assigned owners and treatment plans, reviewed regularly, and escalated to management review where required.

Access control and authentication

Access to systems and data is granted on a least-privilege, need-to-know basis and reviewed periodically. Multi-factor authentication and single sign-on are enforced for corporate systems via our identity provider. Privileged access is restricted, logged, and removed promptly on role change or departure.

Data protection and encryption

Data is classified and handled according to its sensitivity. Data is encrypted in transit and at rest using industry-standard cryptography. Customer data is handled under contract and the applicable Data Processing Agreement; in sovereign and on-premise deployment modes, customer data does not transit Deliverance infrastructure. We do not use customer or inference data to train models.

Secure development

Software is built under a Secure Software Development Lifecycle. Source code is held in access-controlled repositories with branch protection, mandatory peer review, dependency and vulnerability scanning, and secret scanning. Security requirements are considered throughout design, build, test, and release.

Operations, logging, and monitoring

Production systems are hardened, patched, and monitored. Security-relevant events are logged and retained, and anomalies are investigated. Changes follow a controlled change-management process. Backups are taken and protected in line with our continuity arrangements.

Supplier and third-party security

Suppliers and third parties that handle our information or support our services are assessed for security risk before onboarding and managed throughout the relationship under our Supplier and Third-Party Information Security Policy, including appropriate contractual security obligations.

Incident management

Security events are reported, triaged, and managed under our Information Security Incident Response Plan. Personal data breaches are additionally handled under our GDPR incident response process, including regulatory notification within statutory timeframes where applicable. Lessons learned feed back into our controls.

Business continuity

Continuity and recovery of critical services are maintained under our Business Continuity and Disaster Recovery arrangements, including backup, redundancy, and tested recovery procedures. See the Business Continuity and Disaster Recovery Policy.

People security and training

Personnel undergo appropriate screening and are bound by confidentiality and acceptable-use obligations. All staff complete security and compliance training on induction and at least annually, including secure handling of data and safe use of AI tools.

Compliance and assurance

We maintain a register of legal, regulatory, and contractual requirements relevant to information security. Our platform is built to support customer obligations under frameworks including the EU AI Act and GDPR, with adversarial defences mapped to MITRE ATLAS. ISO 9001 and ISO 42001 certifications are in active pursuit, and SOC 2 Type II is on our roadmap.

Policy governance

This policy is owned by the CISO, approved by management, and reviewed at least annually or following significant change. Breach of this policy may result in disciplinary action and, for third parties, termination of the relationship.

The agentic enterprise

Your agents are already running. The only question is who's in control.