Trust centre
Security statement.
How Islands AI secures its own systems and the systems we build for clients. Plain language, no theatre.
This website
Served as static files from Cloudflare's global edge network: no application server, no database behind it, no login surface. All traffic is HTTPS. Analytics are cookieless and privacy-preserving (Cloudflare Web Analytics). The site sets no tracking cookies.
Our operations
Administrative access to all systems is protected by multi-factor authentication. Access follows least privilege. Secrets and credentials live in controlled storage, not in code or messages. Email is authenticated with SPF and DMARC. All code changes are version-controlled with a permanent history, and every production deployment is retained for instant rollback.
Client systems we build
Security is designed in, not audited in afterwards: encryption in transit as standard, role-based access, human approval gates on consequential actions, and audit logging of inputs, outputs and decisions. Data flows are documented before go-live. Where requirements demand it, systems run on-island or fully on-premise on dedicated hardware, so client data never leaves the client's environment.
Subprocessors
| Provider | Purpose | Certifications |
|---|---|---|
| Cloudflare | website and edge infrastructure | SOC 2, ISO 27001 |
| Google Workspace | email and documents | SOC 2, ISO 27001 |
| Anthropic | AI models | SOC 2 |
| OpenAI | AI models | SOC 2 |
| Cal.com | meeting booking | SOC 2 |
| Resend | transactional email | SOC 2 |
| Telnyx | telephony (voice deployments) | SOC 2 |
Client engagements use only the subprocessors that engagement needs, documented per project. Data processing agreements are available on request.
Data residency
By default our infrastructure runs in UK, EU and US regions operated by the providers above, with appropriate safeguards for any transfer. Where a client requires it, we deploy island-hosted or fully on-premise, and we document exactly what, if anything, leaves the client's environment. Residency is a design decision we make with you, not a default you discover later.
Responsible disclosure
If you believe you have found a security issue in anything we operate, email [email protected] with the subject 'Security'. We acknowledge within two working days, we will not pursue good-faith research, and we credit researchers who wish to be named.
Incidents
If an incident affects a client or individuals' data, we notify them promptly with what we know, what we have done, and what happens next, and we notify the Office of the Data Protection Authority where the law requires it.
Talk to us before you talk to a platform.
A 20-minute call is enough to tell you whether AI is worth it for your operation, what it would cost, and what could go wrong. No pitch deck, no obligation.
Book a 20-minute call