AI agents act on your behalf, so trust is the product. Here is how we protect your data and keep every agent we build governed, auditable and under human control.
We design engagements to keep personal and business data within the European Economic Area, on infrastructure we configure per client. Where a sub-processor sits outside the EEA, we apply Standard Contractual Clauses and assess the transfer.
Data is encrypted in transit (TLS) and at rest. Secrets and credentials are stored in managed secret vaults, never in code or prompts.
Access to client systems and data is role-based, time-bound and logged. Agents are given the narrowest set of tools and permissions needed for their task — nothing more.
Every agent action is traced and logged. You get an auditable record of what an agent read, decided and did, so behaviour can be reviewed and explained.
Consequential actions require human review or approval. You define which steps an agent may take autonomously and which always need a person to sign off.
We choose the model best suited to each task — commercial or open, hosted where appropriate in your own environment — and avoid lock-in. We do not allow your data to be used to train shared models.
Agents are grounded only in the data they need. We retain data for the agreed purpose and period, and support deletion and export to meet your obligations.
Before and after deployment we test agents against your real cases with structured evaluations, monitor quality in production, and improve them as a managed service.
We treat AI agents as accountable software systems, not black boxes. Each agent we deliver comes with a clear specification of what it is allowed to do, the data it can access, the tools it can call, and the points at which a human must review or approve an action. That specification is agreed with you and enforced in the agent’s design.
When we operate agents that process personal data on your behalf, you are the controller and Nealphast acts as a processor under a written Data Processing Agreement (DPA) that sets out the subject matter, duration, nature and purpose of processing, the types of data and categories of data subjects, and the security measures applied — as required by Article 28 GDPR. For our own processing as a controller, see our Privacy Policy.
We use a small, vetted set of sub-processors — for example cloud hosting and model providers — each under contract with appropriate data-protection terms. We maintain a current list and notify clients of material changes in line with the DPA. [Maintain and link your sub-processor list here.]
We track the EU AI Act and design agents with its risk-based approach in mind: documenting intended purpose, keeping humans in oversight, logging activity, and helping you classify and govern each use case appropriately. We will work with you to meet obligations relevant to your sector and risk tier.
We maintain procedures to detect, contain and investigate security incidents. In the event of a personal-data breach affecting your data, we will notify you without undue delay and support your obligations under Articles 33–34 GDPR, including any notification to the Data Protection Commission where required.
Security is a partnership. We secure the agents we build and operate; you control which systems and data we may connect to, and approve the actions agents are permitted to take. We will always recommend the most privacy-protective option that still meets your goal.
For a security questionnaire response, our sub-processor list, or a draft DPA, contact info@nealphast.com.
This page describes our intended security and governance practices and is provided for information. It is not a contractual commitment; specific measures for an engagement are set out in the relevant services agreement and DPA. Bracketed items are to be completed by Nealphast.
We’re happy to walk your team through how we’d protect your data and govern your agents.
Get in touch →