Get Started

Security & confidentiality

Professional services firms hold sensitive, privileged, often regulated information. We've built the way we work around protecting it - here's how, in plain terms.

How we handle your data

The simplest way to keep client data safe is not to move it in the first place. Our build process is designed around that principle.

Your production data stays where it is

We don't copy your live client data into our development environment. It stays in your production systems, under your control — not replicated, not moved, not stored by us.

We build and test with synthetic data

During development we work with synthetic data that represents the shape of the real thing, without being the real thing. It lets us build and test properly without ever handling your actual client information.

Production access stays tightly controlled

Access to live systems is restricted and granted by you. Where production access is limited to the UK or Europe, our Colombo engineering team does not access those systems.

We deploy through code, not manual access

Rather than logging into your production environment to configure things by hand, we build the infrastructure and configuration as code, which is then run within your environment to create what's needed. Fewer hands on live systems, full auditability.

Even bugs are handled at arm's length

If something needs investigating in production, we don't reach into your live database. We work through someone who already has access, diagnose indirectly, and recreate the issue locally with synthetic data. Real data carries leakage risk even in development — so we design that risk out.

Your information stays confidential

Your data and confidential information are protected

Anything specific to your firm - your data, your documents, your processes, your commercially sensitive information - is treated as confidential and is never shared with or exposed to another client.

What we deliver is yours to use

You receive full use of the systems we build for you, for your business, on agreed terms. The specifics we create around your firm's needs are yours.

We bring our own tools and experience

Like any experienced partner, we reuse our own underlying methods, frameworks and general components across engagements - it's part of how we move quickly and reliably. Your confidential information is never part of that.

How we work day to day

Alongside the data model above, we follow sensible working practices on every engagement.

  • Least-privilege access. People get access only to the systems and data they need for the work in front of them — nothing more.
  • Private, permissioned repositories. Code lives in private version control with access controlled and changes auditable.
  • Two-factor authentication on the accounts and tools we use to work with you.
  • Encrypted communication in transit, over secure channels.
  • We work within your governance. Where your firm has its own security policies and processes, we operate inside them rather than around them.

Questions from your IT or risk team?

We're happy to talk through any of this in detail, complete a security questionnaire, or work within your firm's own data-protection requirements. Just ask.

Get started