Security is not an add-on.
It's the default.
Yes — WayaNerd is UK GDPR compliant by default. Every deployment runs in UK data residency (AWS London / Azure UK South), is encrypted at rest (AES-256) and in transit (TLS 1.3), ships with a signed Data Processing Agreement as standard, and is contractually guaranteed never to be used to train AI models.
Our Security Stack
What we ship with every deployment
Six security controls that come as standard — not as an enterprise upgrade. Every plan, from £50/month Starter to Enterprise custom.
UK data residency
Client data processed and stored within the United Kingdom by default — AWS London and Azure UK South regions. EU region fallback available where commercially required. No data leaves the UK/EU perimeter without a signed amendment.
Encryption at rest and in transit
AES-256 encryption for data at rest across all storage layers. TLS 1.3 for data in transit. HSTS with 2-year max-age and preload eligibility. Keys managed through AWS KMS / Azure Key Vault with customer-managed key options for Enterprise tier.
No data used to train AI models
Client data is never used to train foundation models or fine-tune shared models. All AI providers (OpenAI, Anthropic, Azure OpenAI) are contracted under zero-retention, no-training agreements. Model outputs use client data in-context only — nothing is retained for model improvement.
Principle of least privilege
Role-based access control across all systems. Per-client tenant isolation. Break-glass admin access is logged and time-limited. Staff access to client data is audited, documented, and minimised to contractual necessity.
Signed DPA with every client
Every engagement ships with a UK GDPR-compliant Data Processing Agreement as standard — not as an upgrade. Standard Contractual Clauses and UK Addendum where cross-border transfers apply. Sub-processor list available on request.
AI-specific risk controls
Prompt injection defences, PII redaction before model calls, output filtering for sensitive content, per-tenant model isolation, rate limiting, anomaly detection on usage patterns. We treat AI risk as a first-class operational concern, not a bolt-on.
Compliance & Alignment
Standards we align to
UK GDPR compliant
Registered as Data Controller (ICO registration). Full UK GDPR Article 30 records. ICO transparency and accountability principles followed by default.
Cyber Essentials aligned
Cyber Essentials certification in progress (2026). All five technical controls already in place: firewalls, secure configuration, access control, malware protection, patch management.
ISO 27001 aligned
Information security management system designed to ISO 27001:2022 standards. Formal certification on the Enterprise roadmap as the client base scales.
SOC 2-grade controls
Security, availability, and confidentiality controls operated to SOC 2 Type II standards. SOC 2 report available for Enterprise-tier clients on request.
Regulated Sectors
Built for UK regulatory context
We tailor the security posture to the regulated sector you operate in. Contact us for a sector-specific security pack.
Healthcare & NHS suppliers
DSPT (Data Security and Protection Toolkit) aligned. Compatible with NHS Digital standards. Clinical-safety-aware delivery where required (DCB0129 / DCB0160 alignment on request).
Financial services
FCA Consumer Duty ready. Aligned with SYSC 8 outsourcing expectations. Suitable for firms under PRA or FCA supervision. EBA Guidelines on outsourcing for cross-border engagements.
Legal & professional services
SRA GDPR and confidentiality requirements met. Privileged information handling protocols. Conflict-of-interest screening on engagement.
Public sector
G-Cloud framework aligned (Cyber Essentials is the gateway). Crown Commercial Service supplier registration in progress. Compatible with Digital Marketplace procurement.
Report a security issue
If you believe you've found a security issue with WayaNerd or any of our deployments, we want to hear from you. Responsible disclosure is welcomed and acknowledged within 24 hours.
hello@wayanerd.co.ukPGP public key available on request for sensitive reports
Security FAQs
Questions we get a lot
FAQ
Common questions
No. Never. Client data is not used to train foundation models or fine-tune shared models. All AI providers we use (OpenAI, Anthropic, Azure OpenAI) are contracted under zero-retention, no-training agreements. Your data enters the model in-context and leaves with the response — nothing is retained for model improvement.
By default, within the United Kingdom — AWS London and Azure UK South regions. EU region (AWS Dublin or Azure West Europe) available where commercially required. Cross-border transfers outside UK/EU only with a signed contract amendment and full UK GDPR Standard Contractual Clauses.
Yes. A UK GDPR-compliant DPA is standard with every engagement, not an upgrade. Our template DPA covers Article 28 processor obligations, Standard Contractual Clauses for any onward transfers, and the UK Addendum (IDTA / Addendum to the EU SCCs) where required.
Yes. A current sub-processor list (including AI model providers, cloud infrastructure, and operational tooling) is available on request and maintained with 30 days' advance notice of any material changes.
We operate a documented incident response process with clear escalation paths. Incidents involving client personal data trigger notification to the affected client within 24 hours, in line with UK GDPR Article 33 timelines. We coordinate with the client on ICO notification decisions where required.
Email hello@wayanerd.co.uk with subject line 'SECURITY'. Responsible disclosure is welcomed — we will acknowledge receipt within 24 hours. A PGP public key is available on request for sensitive reports.
Certification is in progress in 2026. All five technical controls required for certification are already in place (firewalls, secure configuration, user access control, malware protection, and patch management). Certification status is updated on this page once formally issued.
We tailor the security posture to the regulatory context — DSPT for NHS suppliers, FCA Consumer Duty and SYSC 8 for financial services, SRA standards for legal, G-Cloud alignment for public sector. Contact us for a sector-specific security pack.
See where AI cuts cost in your business.
Run the free Scorecard and we'll send back a costed read on the two workflows where AI pays for itself fastest — or book the 5-day Operations Sprint and we'll build it.