Trust Center

Security you can verify.

TYTEN runs the back office for facilities management companies, which means we handle your contracts, your suppliers, and your documents. Protecting that data is the product, not an add-on. This is how we do it, what we are certified for, and where you can get the detail.

Encrypted in transit & at rest UK & EU data residency 24/7 monitoring Least-privilege access
Last reviewed 5 June 2026
Our approach

Built secure, by default.

We don't bolt security on at the end. Every part of the platform, from the cloud it runs on to the way an engineer's job sheet is processed, is designed so that your data is encrypted, access is limited to who genuinely needs it, and everything is logged and monitored.

Protect

Strong encryption, hardened infrastructure and a web application firewall on every public service mean your data stays confidential at rest and in transit.

Limit

Least-privilege access, scoped roles and secrets held in a managed vault. Administrative access is brokered, multi-factor and audited, never an open door.

Monitor

Centralised audit logging, continuous availability and error monitoring, and alerting so issues are caught and acted on, around the clock.

Govern

UK GDPR compliance, a clear sub-processor list, vendor due diligence and a documented incident-response process underpin everything we build.

Compliance & certifications

Where we stand today.

We are transparent about what is achieved and what is in progress. The badges below reflect our current status, not aspirations. We will update this page as each programme completes.

UK GDPR
Compliant

We process personal data in line with the UK GDPR and Data Protection Act 2018. A Data Processing Agreement is available on request.

ISO 27001
Auditing

We operate to controls aligned with ISO 27001 and our certification audit is underway; our security overview is available on request.

SOC 2
Auditing

A SOC 2 examination is underway. We can walk prospective clients through our controls under NDA in the meantime.

Security controls

What we actually do.

A concrete, current view of the controls in place across our infrastructure, data handling, access management and software development.

Infrastructure & network

  • Hosted on Amazon Web Services in the UK (London region), with UK and EU data residency.
  • Customer-facing workloads run on isolated, dedicated hosts, segregated from internal and public services.
  • Network access restricted by security groups; enforced encrypted instance metadata (IMDSv2).
  • Web application firewall (ModSecurity with the OWASP Core Rule Set) and automated intrusion mitigation on public endpoints.
  • Infrastructure defined and managed as code, with full change history and review.

Encryption & data protection

  • TLS 1.2 and 1.3 only for all data in transit, with modern cipher suites and HTTPS enforced everywhere.
  • Data encrypted at rest using AWS KMS-managed keys across storage volumes, object storage and secrets.
  • Data minimisation: we process only the information needed to run your back office.
  • Regular, encrypted backups with defined retention periods.

Access control & monitoring

  • Least-privilege identity and access management, scoped per service.
  • No public SSH to production hosts; administrative access is brokered through AWS Systems Manager and logged.
  • Multi-factor authentication on administrative access; secrets stored in AWS Secrets Manager, never in code.
  • Centralised audit logging to AWS CloudWatch, with access logs retained 90 days and audit logs 365 days.
  • Continuous availability and error monitoring with automated alerting.

Application & development security

  • Secure development lifecycle: every change is peer-reviewed and passes automated code review and security analysis before release.
  • Deployments are verified before being declared live; changes are released through controlled pipelines.
  • Dependency and configuration hygiene maintained continuously.
  • Regular penetration testing and a structured vulnerability-management process.

Organisational & governance

  • Confidentiality obligations for all personnel and contractors.
  • Due diligence on vendors and sub-processors before they touch customer data.
  • Documented incident-response process with defined roles and escalation.
  • Change management and segregation between development and production data.

Resilience & availability

  • Automated health checks and self-healing protections against resource exhaustion.
  • Encrypted backups enable recovery of customer data.
  • Proactive uptime monitoring of public services with alerting on failure.
Privacy & responsible AI

Your data stays yours.

TYTEN is an AI workforce, so we are deliberate about how data flows through automated processing. The principles below govern every AI-assisted workflow on the platform.

No training on your data

AI providers are used only as part of our automated workflows, under enterprise terms with no model training on your data.

Human oversight

Automated workflows operate within defined guardrails and are designed for human review, not unchecked autonomy on irreversible actions.

Data subject rights

We support access, correction and deletion requests under the UK GDPR, and act on documented client deletion instructions on contract termination.

Processing agreement

We act as a data processor for the client data we handle. A Data Processing Agreement and our Privacy Policy are available to every client.

Configurable for strict compliance

For highly sensitive data, or customers with specific regulatory and compliance requirements, individual platform features can be disabled or restricted to meet those requirements. We work with you to configure the platform to your compliance posture.

Sub-processors

Who helps us run the service.

We rely on a small set of reputable providers to deliver the platform. Each is assessed before onboarding and bound by data-protection terms. A complete, named list of sub-processors is available on request.

Provider
Purpose
Region
Amazon Web Services
Cloud hosting, storage, key management and infrastructure.
UK / EU
Microsoft 365
Mailbox and document integrations used to ingest work-order correspondence.
UK / EU
Enterprise AI providers
Automated workflow processing under enterprise terms, with no model training on your data.
EU / US
Google Analytics
Aggregate, consent-based website traffic analytics (visitor data only; not customer back-office data).
EU / US
Cal.com
Demo scheduling for prospective customers.
EU / US
Documents & resources

Get the detail.

Public policies are available below. Confidential documentation, including our security overview and Data Processing Agreement, is shared with prospective and current customers on request.

Public

Privacy Policy

How we collect, use and protect personal data across our website and platform.

View PDF →
Public

Terms of Use

The terms governing use of the TYTEN platform and services.

View PDF →
On request

Security Overview

A detailed description of our controls, architecture and security programme.

Request access →
On request

Data Processing Agreement

Our standard DPA covering processing of personal data under the UK GDPR.

Request access →
On request

Penetration test summary

An executive summary of our most recent independent penetration test.

Request access →
On request

Sub-processor list

The complete, named list of sub-processors and the data each handles.

Request access →
Common questions

Security FAQ

Where is our data hosted?
On Amazon Web Services in the UK (London region), with data residency kept within the UK and EU. Customer-facing workloads run on isolated, dedicated hosts.
Do you use our data to train AI models?
No. AI providers are used only as part of our automated workflows, under enterprise terms with no model training on your data.
Who can access our data?
Access follows least-privilege principles and is limited to personnel who need it to operate the service, all under confidentiality obligations. Administrative access to production is brokered, multi-factor and audit-logged, with no public SSH.
Is our data encrypted?
Yes. Data is encrypted in transit using TLS 1.2/1.3 and at rest using AWS KMS-managed keys, across storage, object storage and secrets.
Can features be restricted for stricter compliance?
Yes. For highly sensitive data or customers with specific regulatory and compliance requirements, we can disable or restrict individual platform features so the service meets those requirements. Tell us what your programme needs and we will configure the platform to your compliance posture.
How do we get your DPA or security documentation?
Email privacy@tyten.ai and we will share our Data Processing Agreement, security overview and other documentation, under NDA where appropriate.
What happens to our data if we leave?
On contract termination we act on your documented deletion instructions and remove customer data in line with the terms of our Data Processing Agreement and applicable retention requirements.

Found a security issue? Tell us.

We welcome reports from security researchers and customers. If you believe you have found a vulnerability, please email us with the details and steps to reproduce. We will acknowledge your report, investigate, and keep you updated. Please give us reasonable time to remediate before any public disclosure, and avoid accessing or modifying data that is not yours.

Report a vulnerability Ask a security question Book a security review call