Trust
This page describes how Priam Cyber AI Ltd protects information processed through priam.ai. It is the operational counterpart to our Privacy Notice: where
Privacy explains what we collect and why, this page explains how we secure
it, who has access, and what happens when something goes wrong.
We treat this page as a working document. As our infrastructure matures and our compliance posture advances, we update it. Significant changes are dated.
1. Posture summary
| Domain | Current state |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all public endpoints |
| Encryption at rest | Sub-processor-managed (Microsoft 365, Cloudflare, GitHub) |
| Authentication | Multi-factor authentication required on all administrative accounts |
| Data residency | Primary processing in UK and EEA |
| Compliance roadmap | Working towards SOC 2 Type 2 and ISO 27001 certification |
| Incident notification | Within 72 hours of discovery for personal data incidents (UK GDPR Article 33) |
| Responsible disclosure | [email protected], 90-day coordinated disclosure |
2. Sub-processors
We use a small set of carefully selected sub-processors to operate the marketing site. Each is contractually bound to GDPR-aligned terms.
| Sub-processor | Purpose | Jurisdiction | Security documentation |
|---|---|---|---|
| Microsoft Corporation |
Microsoft 365 mailbox hosting (hello@, briefings@, trial@)
| EU and UK (Microsoft EU Data Boundary) | aka.ms/STP |
| Cloudflare, Inc. | DNS, edge CDN, Cloudflare Pages hosting, bot management, TLS termination | Global edge; EU localization where supported | cloudflare.com/trust-hub |
| GitHub, Inc. | Source code hosting in a private repository | United States (with EU-aligned subprocessor terms) | github.com/security |
| Stripe Payments UK Ltd | Payment processing for /trial (Phase 5 — not yet active) | United Kingdom | stripe.com/privacy |
| Resend, Inc. | Transactional email delivery (Phase 5 — not yet active) | United States, EU-aligned subprocessor terms | resend.com/legal |
| Microsoft Corporation (Azure) | Self-hosted Plausible Analytics instance (Phase 6 — planned) | United Kingdom (Azure UK South region) | azure.microsoft.com/trust-center |
When we add or change a sub-processor that materially affects how personal data is processed, we update this list and our Privacy Notice.
3. Data residency
We aim to keep personal data within the United Kingdom and the European Economic Area:
- Microsoft 365 mailboxes: EU/UK data centres under Microsoft's EU Data Boundary commitments
- Cloudflare: EU data localization applied where supported; some operational metadata (DNS resolution, bot scoring) transits Cloudflare's global anycast network
- GitHub source repository: stored on GitHub infrastructure (US primary)
- Self-hosted Plausible Analytics (planned, Phase 6): Microsoft Azure UK South region
Where any sub-processor transfers personal data outside the UK or EEA, we rely on Standard
Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. Transfer impact
assessments are available on request to [email protected].
4. Encryption
| Component | In transit | At rest |
|---|---|---|
priam.ai (public site) | TLS 1.2+ via Cloudflare-managed certificates; HSTS enabled | Static content, no personal data stored at the edge |
| Form submissions | TLS 1.2+ end-to-end to Microsoft 365 / (Phase 5) Cloudflare Pages Functions | Sub-processor-managed encryption (Microsoft BitLocker for mailboxes) |
| Email correspondence |
Opportunistic TLS via Microsoft 365; DKIM-signed for priam.ai outbound
| Microsoft 365 default encryption |
| Source code | TLS to GitHub | GitHub default encryption at rest |
| Plausible Analytics (planned) | TLS 1.3 via Caddy reverse proxy | Azure managed disk encryption |
We do not custody encryption keys for sub-processor-managed services. We rely on the sub-processor's published key management practices.
5. Access controls
Access to systems that handle personal data is limited to the two founders of Priam Cyber AI Ltd:
- Microsoft 365 admin: multi-factor authentication enforced on every login
- Cloudflare account: multi-factor authentication enforced
- GitHub repository (private): multi-factor authentication enforced; branch protection
on the
mainbranch - Domain registrar (Namecheap): multi-factor authentication enforced
- AVA SaaS production: governed by separate policies in the AVA product environment, outside the scope of this page
Account separation: marketing site infrastructure (DNS, hosting, source) is operated under
accounts distinct from any individual founder's personal accounts. Where shared mailboxes are
used (briefings@, trial@), permissions are explicitly granted per
individual rather than via shared credentials.
6. Compliance roadmap
Priam Cyber AI Ltd is working towards two formal certifications. Neither is currently in audit:
- SOC 2 Type 2 — we are establishing the operational controls required for SOC 2 Type 2 (Trust Services Criteria for Security, Availability, Confidentiality). Audit engagement is planned but not yet underway. The current engagement timeline will be added to this page once finalized.
- ISO 27001 — we are evaluating the controls and Statement of Applicability required for ISO 27001 certification. Certification body engagement is planned but not yet underway.
We intentionally do not claim "in progress" status until a formal audit window is open. We will update this page when each engagement begins, and again when each is complete.
7. Operational practices
7.1 Logging and monitoring
- Cloudflare edge logs retained per Cloudflare default policies
- Microsoft 365 audit logs retained per Microsoft 365 default policies
- GitHub audit logs retained per GitHub default policies
- Application-level analytics (planned, Phase 6): aggregate page-level counts via self-hosted Plausible; no individual identifiers, no cookies
7.2 Dependency hygiene
The marketing site code is reviewed for known vulnerabilities before each deployment. Dependencies are kept current; security advisories from npm and GitHub are actioned within seven days of disclosure for high-severity issues.
7.3 Backup posture
- Source code: version-controlled in a private GitHub repository, with local clones held by founders. Source can be restored from any clone or from GitHub's own backups.
- Site deployment: Cloudflare Pages builds are stateless, generated from source on each deployment. Loss of the deployment artefact does not lose data; a fresh build from source restores the site.
- DNS: maintained at Namecheap (Phase 8 will migrate to Cloudflare DNS). DNS configuration is documented in source-controlled notes.
- Email: Microsoft 365 default retention policies apply. Microsoft maintains its own backup and recovery practices per its service trust documentation.
We do not maintain customer data on the marketing site beyond what is necessary to respond to inquiries. Form submissions arrive in mailboxes; once acted upon, they are retained per the schedule in our Privacy Notice §7.
8. Incident response
If we discover an incident affecting personal data, we commit to:
- Investigating and containing the incident as quickly as our scale permits
- Notifying the Information Commissioner's Office (or the relevant EU Data Protection Authority) within 72 hours of discovery, where the incident is reportable under UK GDPR Article 33
- Notifying affected individuals without undue delay where the incident creates a high risk to their rights and freedoms (UK GDPR Article 34)
- Documenting the incident, root cause, and remediation in an internal record retained for at least three years
The point of contact for incident inquiries from regulators or affected individuals is [email protected].
9. Responsible disclosure
We welcome reports of security vulnerabilities affecting priam.ai or our marketing infrastructure.
How to report: email [email protected] with a description of the issue,
steps to reproduce, and any supporting material. PGP encryption is available on request.
What to expect:
- Acknowledgement within 2 working days
- A coordinated disclosure window of up to 90 days from acknowledgement, during which we work with you to investigate and remediate
- Recognition in this page if you wish (anonymous reports also accepted)
Out of scope:
-
The AVA product environment at
ava.priam.ai(separate disclosure programme — contact[email protected]for the appropriate channel) - Vulnerabilities in third-party platforms (Cloudflare, Microsoft, GitHub) that are not specific to our configuration — please report to the platform vendor
- Findings that require physical access, social engineering of staff, or denial-of-service against our infrastructure
We will not pursue legal action against researchers acting in good faith within these guidelines.
10. Updates to this page
This page is maintained as our infrastructure and compliance posture evolve. The Last updated date at the top reflects the most recent revision. We do not retain a public version history at
this stage; archived versions are available on request.
11. Contact
| Topic | Contact |
|---|---|
| Privacy and data protection | [email protected] |
| Security vulnerabilities | [email protected] |
| General inquiries | [email protected] |
| Postal | Priam Cyber AI Ltd, 71–75 Shelton Street, London WC2H 9JQ, United Kingdom |
This page is currently a working draft. Substantive iteration, including legal and security review, is scheduled post-launch.