Security and governance

Your data stays under your control

The right response to giving a third party access to your operations is scrutiny. Here is exactly what we access, how we protect it, and how you stay in control.

How data moves

Cloud-hosted systems
We connect via official vendor APIs over HTTPS. We never touch your internal network. No firewall changes. No inbound connections.
Self-hosted systems
Encrypted mesh VPN. Your IT team installs a lightweight connector. Outbound connection only. End-to-end encrypted. One-click revocation.
Authentication
OAuth2 everywhere. You authorise via the vendor's consent screen. We never see or store passwords. Tokens scoped to minimum permissions.
Accounting access only
We connect to your accounting software via its official API. Read access to invoices, bills, contacts, and statements where needed for analysis. No payment initiation. No direct bank credentials. Scope agreed per engagement.
Encryption
In transit: TLS 1.3. At rest: AES-256. Credentials in a dedicated secrets manager. Key rotation enforced.
Tenant isolation
We host all client environments on our own managed infrastructure. Each client gets separate schemas, queues, and connectors. Isolation is architectural, not policy-based. Your tenant is monitored, secured, and maintained by us — your data inside it is governed by your engagement terms.

Personally identifiable information

Most of what we build moves data directly between your platforms. No external processing sees it.

For managed processing, the data is tokenised before it reaches any processing engine.

"John Smith at Acme Ltd, invoice INV-2024-0847 for £14,200"
"PERSON_1 at COMPANY_1, invoice REF_1 for AMOUNT_1"

The processing engine works with structure and logic. It never sees the real data. Tokens are re-mapped after processing.

Your data is never used to train any system.

How the system learns without extracting your data

Our systems improve over time. That requires seeing operational data. Here is exactly how that works — and where the boundaries are.

We host it. It is yours.
Afferentic runs dedicated, segregated infrastructure for every client. Your connectors, orchestration logic, workflow state, and learned patterns all live in an isolated tenant on our platform — separate schemas, separate queues, separate processing. No other client's data touches yours. This is our infrastructure, managed and monitored by us, but the data and the logic inside it belong to your engagement.
Pattern detection runs in your dedicated tenant
The orchestration layer — which connects to your systems via your authorised APIs — watches for anomalies in your operational data. A supplier whose lead times are creeping. A client whose ordering has dropped. This layer sees real data because it has to. It runs in your isolated tenant on our infrastructure, not shared with anyone else.
Managed processing never sees the real data
When the system needs reasoning or judgement — classifying an invoice, drafting a response — the data is tokenised first. The processing engine sees structure and logic, not names and amounts. This is the layer shown in the tokenisation example above.
Learning stays in your tenant
The system builds its baseline of what is normal for your business, within your dedicated tenant. Your seasonal patterns, your exception rates, your supplier behaviour — all observed and retained in your isolated environment. Nothing is shared with other clients or extracted to a central pool.
Cross-client insight uses statistics, not data
The only thing that crosses the tenant boundary is anonymous aggregate patterns — frequencies and thresholds, never raw data. "Businesses of your type commonly see X" — with no company names, no figures, no identifiers. These are offered as suggestions, never applied automatically.

Think of it like a GP practice. The practice owns the building, the records system, and the security around it. But each patient's records are theirs — private, auditable, and destroyed or transferred when the relationship ends. We host the infrastructure. Your data stays yours.

How Afferentic outcomes are governed

Outcomes only run when triggered
Every action starts from a defined event. The outcome does not decide when to run. The workflow definition does.
Human approval on consequential actions
Money, client comms, or decisions with consequences route through your team first. You set the threshold.
Everything is reversible
No data deleted. No irreversible changes without sign-off. The fallback is always the status quo.
Full audit trail
Every action logged. Immutable. Exportable. Designed for SOC 2 and ISO 27001.
You can stop anything
Pause, skip, or force-run any outcome with one click. You are in control.
Scope is locked
Each connector accesses only what is documented in the playbook. No backdoor. No scope creep.

Infrastructure and certifications

Dedicated hosting
Dedicated infrastructure. MFA enforced. No default credentials. Automated vulnerability scanning.
Certifications
Cyber Essentials Plus and CREST penetration test — both completing ahead of first client engagement. No client data is processed until both are in place. SOC 2 Type II observation begins in our second year of trading.
Incident response
Client notification within 1 hour. ICO within 72 hours. PI and cyber liability insurance.
Exit and handover
Full documentation. Handover within 30 days. Standard APIs. Credentials rotated. Data purged within 30 days.

For your IT team

The four questions that matter most — answered directly.

Where does our data go?
Cloud systems: directly between your platforms — not through us. Self-hosted: encrypted mesh VPN, outbound only. Managed processing: dedicated instance, UK-hosted, PII stripped before processing. Pattern detection and learning run in your dedicated, isolated tenant on our infrastructure — segregated from all other clients, using your real data through your authorised APIs. No public services. No data used for training.
What access do you need?
No admin credentials. Delegated permissions only, scoped to specific API endpoints. Your IT team authorises each connection via the vendor's standard consent flow. Each connector is independent — revoke one without affecting the others.
What if something goes wrong?
Client notification within 1 hour. We hold minimal data — workflow definitions and anonymised processing logs, not your client database. Every action is reversible. The fallback is always the status quo.
What happens when we leave?
Everything documented. Full handover within 30 days. Standard APIs — no proprietary lock-in. All credentials rotated. All client data purged with written confirmation.

A detailed technical annex covering VPN specifics, connector architecture, audit log retention, and business continuity is available for your IT team under NDA.

Next: What changes →