Trust Centre
curvestone.ioCompliance overview
Current compliance status across frameworks
Compliance programme
An overview of security controls in place
- Encryption at Rest
- Encryption in Transit
- Centralised Key Management
- Data Residency
- Multi-Tenancy & Client Isolation
- Least Privilege Access
- Unique User Identities
- Secure Authentication
- Privileged Access Management
- Joiners, Movers & Leavers
- Access Reviews
- Cloud-First on Microsoft Azure
- Network segmentation implemented
- Network and system hardening standards maintained
- DMZ Network Architecture
- Web Application Firewall & DDoS Protection
- Continuous Static Analysis (SAST)
- Dynamic Application Security Testing (DAST)
- Automated Dependency Monitoring
- Daily Automated Penetration Testing
- Annual CREST-Accredited Penetration Test
- Formal Secure Development Lifecycle (SDLC)
- Mandatory Pull Request Reviews
- Secret Scanning
- OWASP Alignment
- SIEM
- Performance metrics
- Comprehensive Log Coverage
- Log Retention
- Uptime Monitoring
- Alert Triage
- Documented Incident Response Process
- Regulatory Notification
- Continuity and Disaster Recovery plans established
- Continuity and Disaster Recovery plans tested
- Production multi-availability zones established
- Azure Recovery Services
- Autoscaling & Redundant Endpoints
- Multi-Provider Architecture
- Supplier Due Diligence
- Certification Requirements
- Annual Supplier Reviews
- AI Supplier Due Diligence
- Employee background checks performed
- Device encrypted
- Asset disposal procedures utilised
- Confidentiality Agreement acknowledged by employees
- MDM system utilised
- Security awareness training implemented
- Management roles and responsibilities defined
- Whistleblower policy established
- Change management procedures enforced
- Security policies established and reviewed
- Risk management program established
- Formal AI Policy
- Use Case Approval Process
- Regulatory Alignment
- No Training on Client Data
- User-Submitted Data Only
- No Sensitive Data in Development Prompts
- Data Provenance Records
- Staged Model Release Process
- Automated Evaluation Pipeline
- Client Beta & User Acceptance Testing
- Model Decommissioning
- Audit-Ready Decision Trail
- Human Review in Development & Testing
- Clear AI Disclosures
- Explainability and evidence based outputs
- Shared Responsibility Model
Documents
Security documentation shared directly with your security or procurement team, under NDA where required.
ISO 27001:2022 Certificate
Our current certificate (Cert No. 19087, issued by ISOQAR).
Statement of Applicability (SOA)
The ISO 27001 controls we apply and the justification for each.
Penetration Test Summary
Executive summary of the latest annual CREST-accredited penetration test.
Data Processing Agreement
Our standard DPA, covering data residency, sub-processors, and GDPR commitments.
Shared Responsibility Model
How security, compliance, and AI governance obligations are split between Curvestone, our cloud and model providers, and client organisations.
AI Policy Overview
A summary of our platform-level AI Policy, aligned with ISO/IEC 42001:2023.
Security Questionnaire
A completed security questionnaire for your vendor due diligence process.
Controls deployed across the platform and the organisation — covering data protection, infrastructure, people, and governance — maintained under our ISO 27001:2022-certified Information Security Management System.
Data Security & Encryption
All customer data is encrypted at rest and in transit, with keys centrally managed and access strictly controlled.
Encryption at Rest
All data stored on the CurvestoneAI platform is encrypted using AES-256, applied across Azure SQL databases, Blob Storage, Cognitive Search indexes and backup vaults.
Encryption in Transit
All data transmitted between clients, our platform, and sub-processors is protected using TLS 1.2 or higher; unencrypted HTTP connections are not permitted at any endpoint.
Centralised Key Management
Encryption keys and secrets are managed through a managed key vault, accessible only to authorised service principals and designated engineers with a documented operational need.
Data Residency
Client data is hosted and processed only in the Azure region chosen by the client — EU by default, or US on request — and our Data Processing Agreements commit us to not moving data outside the agreed region.
Multi-Tenancy & Client Isolation
CurvestoneAI operates as a multi-tenant platform with logical data isolation enforced at the application and database layer; dedicated single-tenant instances with physical isolation are available for clients with specific requirements.
Access Control
Access to systems and data is granted on a strict need-to-know, least-privilege basis, with all rights managed, reviewed, and logged.
Least Privilege Access
All system access, including infrastructure, databases, and application administration, is granted on a least privilege basis, and reviewed whenever roles or responsibilities change.
Unique User Identities
Every user has a unique account; shared credentials are prohibited, ensuring individual accountability and a clear audit trail for all system activity.
Secure Authentication
Secure authentication is mandatory for all infrastructure access, including the Azure management portal, VPN connections and administrative tooling.
Privileged Access Management
Elevated infrastructure access is highly restricted, logged and monitored.
Joiners, Movers & Leavers
Access rights are reviewed on every employment change event; accounts are disabled before an employee's departure date, and redundant accounts are removed during periodic access audits.
Access Reviews
Formal reviews of all system and application access are conducted regularly with additional reviews triggered by role changes or departures.
Network & Infrastructure Security
Our platform is built on a defence-in-depth architecture with multiple independent security layers protecting client data from the network perimeter inward.
Cloud-First on Microsoft Azure
CurvestoneAI is fully cloud-hosted on Microsoft Azure, leveraging the stability and security of the leading cloud provider.
Network segmentation implemented
The company's network is segmented to prevent unauthorised access to customer data.
Network and system hardening standards maintained
The company's network and system hardening standards are documented, based on industry best practices, and reviewed regularly.
DMZ Network Architecture
The platform is deployed within a demilitarised zone (DMZ) using subnets and Network Security Groups, separating public-facing, application, and data tiers with deny-by-default rules throughout.
Web Application Firewall & DDoS Protection
WAF at the network edge, protecting against OWASP Top 10 threats including SQL injection and XSS, with DDoS protection enabled across all public endpoints.
Vulnerability Management
We take a layered, continuous approach to identifying and remediating security vulnerabilities, with defined SLAs for each severity level.
Continuous Static Analysis (SAST)
Static code analysis on every pull request, automatically surfacing security issues before any code reaches the staging or production environment.
Dynamic Application Security Testing (DAST)
Dynamic testing against the running application, simulating real-world attack techniques to identify runtime vulnerabilities not visible in source code.
Automated Dependency Monitoring
Dependency auditing runs continuously, automatically raising pull requests when known vulnerabilities are found in third-party packages, with critical updates applied to test before production.
Daily Automated Penetration Testing
AI-powered security scanning tool runs daily automated checks across application, API, infrastructure, and LLM-specific attack vectors including prompt injection and data exfiltration.
Annual CREST-Accredited Penetration Test
An independent CREST-accredited security firm conducts annual penetration testing of our cloud environments, including full OWASP Top 10 coverage, with results tracked to remediation.
Secure Development
Security and privacy are embedded into each stage of our Software Development Lifecycle, from requirements gathering through to deployment and ongoing maintenance.
Formal Secure Development Lifecycle (SDLC)
All software development follows a six-stage SDLC: planning, design, implementation, testing, deployment, and maintenance. Security requirements, threat modelling and data protection impact assessments are built in from the outset.
Mandatory Pull Request Reviews
All code changes require peer review by an engineer who did not author the change before merging; automated SAST, SCA, and secret-scanning checks must pass before any PR can be approved.
Secret Scanning
Pre-commit hooks and repository-level secret scanning are mandatory on every code repository, blocking commits and triggering automatic rotation if credentials are detected.
OWASP Alignment
Our development practices align with the OWASP Secure Coding Practices Guide and OWASP Top 10; all engineers receive regular training in secure development and AI coding tool usage.
Monitoring, Logging & SIEM
Continuous monitoring and centralised logging give us visibility across every layer of the platform, enabling rapid detection of and response to security events.
SIEM
SIEM aggregates and correlates security events across all platform layers in real time, detecting attack patterns that span multiple systems and routing alerts to the on-duty security team.
Performance metrics
Infrastructure performance metrics tracked (CPU, memory, network throughput, API response times), while continuous scans occur for misconfigurations and threats across our Azure estate.
Comprehensive Log Coverage
Logs are collected, centralised and analysed from all layers: application actions, infrastructure events, database queries, OS activity, network and firewall traffic, endpoint MDM and identity.
Log Retention
Logs relating to systems handling confidential client data are retained for a minimum of one year; all other logs are retained for a minimum of 180 days.
Uptime Monitoring
External availability is monitored continuously by Uptime Robot, with downtime alerts delivered immediately to the on-duty team.
Alert Triage
Alerts for events including failed logins, privilege escalation, unusual access patterns, and database anomalies are triaged with defined response procedures.
Incident Response
We maintain a documented incident response process designed to detect, contain, and communicate security events rapidly.
Documented Incident Response Process
Curvestone operates a formal Incident Management Policy covering detection, triage, containment, investigation, recovery, and post-incident review for all information security events.
Regulatory Notification
We are accountable for notifying affected clients, relevant regulators, and data subjects of security incidents affecting personal data within the timeframes required by UK/EU GDPR and applicable contract terms.
Business Continuity & Resilience
The platform is designed for resilience, with redundant infrastructure and tested recovery procedures to minimise disruption to clients.
Continuity and Disaster Recovery plans established
Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity.
Continuity and Disaster Recovery plans tested
Documented Business Continuity/Disaster Recovery (BC/DR) tested at least annually.
Production multi-availability zones established
Curvestone has a multi-availability zone strategy for production environments.
Azure Recovery Services
All production data is backed up with defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO), tested and reviewed under our Business Continuity and Disaster Recovery Plan.
Autoscaling & Redundant Endpoints
Azure App Service autoscaling handles the majority of compute demand automatically; redundant LLM endpoints ensure that rate limits on a single endpoint do not degrade platform availability.
Multi-Provider Architecture
CurvestoneAI is built on a multi-LLM architecture, providing resilience against single-provider outages and regulatory or commercial changes.
Third-Party & Supplier Management
Every third party that processes client data on our behalf is subject to rigorous due diligence, contractual obligations, and ongoing oversight.
Supplier Due Diligence
All sub-processors and SaaS vendors are assessed before onboarding using Curvestone's third-party due diligence process, which evaluates security certifications, data handling practices, and contractual protections.
Certification Requirements
Sub-processors are required to hold recognised security certifications, typically ISO 27001 and/or SOC 2, as a condition of engagement.
Annual Supplier Reviews
Supplier performance and security posture are reviewed at least annually, with contract terms updated as required to reflect changes in regulatory requirements or data handling.
AI Supplier Due Diligence
All AI model providers are assessed through Curvestone's supplier due diligence process, with due diligence artefacts, SOC 2 reports, ISO 27001 certificates and system cards retained and reviewed annually.
Organisational security
Controls deployed across operations covering human, physical, technical and organisational security.
Employee background checks performed
The company performs background checks on new employees.
Device encrypted
The company encrypts all devices.
Asset disposal procedures utilised
The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.
Confidentiality Agreement acknowledged by employees
The company requires employees to sign a confidentiality agreement during onboarding.
MDM system utilised
The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
Security awareness training implemented
The company requires employees to complete security awareness training during onboarding and at least annually thereafter.
Governance
Governance and oversight form a central consideration to ensure CurvestoneAI is deployed securely and responsibly.
Management roles and responsibilities defined
The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
Whistleblower policy established
The company has established a formalised whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.
Change management procedures enforced
The company requires changes to software and infrastructure components of the service to be authorised, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
Security policies established and reviewed
The company's information security policies and procedures are documented and reviewed at least annually.
Risk management program established
The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.
AI is core to what Curvestone does. CurvestoneAI is built on third-party foundation models and deployed in regulated environments where accuracy, transparency, and human oversight are not optional. The controls below describe how we govern AI responsibly at every stage, from model evaluation through to live monitoring and incident response.
AI Governance & Accountability
Clear ownership and documented governance ensure that AI decisions at Curvestone are intentional and auditable.
Formal AI Policy
Curvestone operates a platform-level AI Policy (aligned with ISO/IEC 42001:2023) that governs the full lifecycle of AI services, from vendor evaluation and integration through to live monitoring, incident response, and decommissioning.
Use Case Approval Process
Platform-level changes to CurvestoneAI are subject to formal risk and impact assessment before implementation. Use cases vary by client deployment and are governed through separate project-level assessments.
Regulatory Alignment
Curvestone's AI governance tracks UK GDPR and ICO guidance, EU AI Act developments relevant to our risk tier, and FTC guidance in the US, with controls updated as requirements evolve.
Data Handling in AI Processing
We apply strict controls to what data enters our AI pipeline and how it is handled by foundation model providers.
No Training on Client Data
Curvestone's contracts with all foundation model providers (including Azure OpenAI and Anthropic) include explicit commitments that client prompts and completions are not used to train or fine-tune foundation models.
User-Submitted Data Only
All data processed by Curvestone's AI systems originates from user submissions; no external datasets, third-party data, or training corpora are ingested or stored by Curvestone for AI processing.
No Sensitive Data in Development Prompts
Production data, personal data, authentication secrets, and API keys are never shared with AI coding assistants or used in development and testing; all test data is synthesised or masked.
Data Provenance Records
Data lineage is documented within the relevant risk and impact assessment for each project-level use case. Data processed by CurvestoneAI originates from user submissions and no training activity is performed.
Model Lifecycle Management
Every AI model used in production follows a structured staged release process, from sandbox testing through to approved go-live and ongoing performance review.
Staged Model Release Process
New models follow a defined path: vendor evaluation → sandbox integration with synthetic data → automated evaluation pipeline → controlled client Beta / UAT → senior sign-off → general release → 90-day post-launch review.
Automated Evaluation Pipeline
An internal evaluation pipeline runs standardised tests on every candidate model before it progresses to Beta, covering accuracy, edge cases, and use-case-specific scenarios against defined acceptance thresholds.
Client Beta & User Acceptance Testing
Before general release, new models are made available to selected clients for UAT, with human reviewers in the loop and users clearly informed that outputs are in a controlled experimental phase.
Model Decommissioning
Retiring models are managed in stages, usage review, client notification, default migration, feature sunset, with human oversight and senior approval required at each transition.
Human Oversight & Explainability
Curvestone's platform is designed so that AI outputs support human decision-making, not replace it, with full traceability back to source documents.
Audit-Ready Decision Trail
Every AI-generated compliance outcome is logged with the source document evidence, the specific rules applied, the reasoning behind the decision, and a timestamp, making every finding traceable and defensible for FCA, FOS, or PI insurer review.
Human Review in Development & Testing
Manual QA and UAT processes involve human reviewers who assess whether AI outputs are accurate, clear, stable, and resistant to manipulation; AI-generated review comments are treated as advisory only.
Clear AI Disclosures
Users of the CurvestoneAI platform receive clear in-interface disclosures about AI involvement, known limitations, and the basis for AI-assisted outputs, in line with our transparency obligations.
Explainability and evidence based outputs
Where technically feasible, findings presented to a reviewer are accompanied by the specific source passage or document that supports it. Reviewers can examine the evidence, understand why a finding was made, and choose to agree, amend, or override the output.
Shared Responsibility Model
Curvestone implements a Shared Responsibility Model that defines the security, compliance, and AI governance obligations split between Curvestone, our cloud and model providers, and client organisations.
Looking for the product security overview? Visit our Security page. To report a vulnerability or security concern, contact our security team.
Frequently asked questions
Common questions from security and procurement teams
What security certifications does Curvestone hold?
Curvestone holds ISO 27001:2022 certification (Cert No. 19087, issued by ISOQAR), demonstrating that our Information Security Management System meets internationally recognised standards. We comply with UK and EU GDPR, and we are pursuing certification to ISO/IEC 42001:2023 — the international standard for AI management systems — which our secure development and AI governance practices already align with.
How is my data encrypted?
All data is encrypted at rest using AES-256 — across Azure SQL databases, Blob Storage, Cognitive Search indexes, and backup vaults — and in transit using TLS 1.2 or higher. Unencrypted HTTP connections are not permitted at any endpoint, and encryption keys are managed through a centralised key vault.
Where is my data stored?
Client data is hosted and processed only in the Azure region chosen by the client — EU by default, or US on request. Our Data Processing Agreements commit us to not moving data outside the agreed region.
Can Curvestone staff access my data?
Access to systems and data is granted on a strict need-to-know, least-privilege basis, with every action logged for individual accountability. CurvestoneAI enforces logical data isolation at the application and database layer, and access rights are reviewed whenever roles or responsibilities change.
Is my data used to train AI models?
No. Curvestone's contracts with all foundation model providers (including Azure OpenAI and Anthropic) include explicit commitments that client prompts and completions are not used to train or fine-tune foundation models. All data processed by our AI systems originates from your submissions.
How do you handle data and log retention?
Data processed by CurvestoneAI originates from user submissions, and no training activity is performed on it. Logs relating to systems handling confidential client data are retained for a minimum of one year; all other logs are retained for a minimum of 180 days.
Can I deploy Curvestone in an isolated environment?
CurvestoneAI operates as a multi-tenant platform with logical data isolation enforced at the application and database layer. Dedicated single-tenant instances with physical isolation are available for clients with specific requirements.
Do you support SSO?
Yes. SAML and OIDC-based SSO with auto-provisioning via Azure AD group claims. Secure authentication is mandatory for all infrastructure access, and every user has a unique account — shared credentials are prohibited.
How often is Curvestone penetration tested?
An AI-powered scanning tool runs daily automated checks across application, API, infrastructure, and LLM-specific attack vectors including prompt injection and data exfiltration. In addition, an independent CREST-accredited firm conducts a full penetration test of our cloud environment annually, with all findings tracked to remediation.
How does Curvestone govern its use of AI?
Curvestone operates a platform-level AI Policy aligned with ISO/IEC 42001:2023 that governs the full lifecycle of AI services — from vendor evaluation and integration through to live monitoring, incident response, and decommissioning. New models follow a defined staged release process, with automated evaluation and senior sign-off required before general release.
Is there human oversight of AI-generated outputs?
Yes. Curvestone's platform is designed so that AI outputs support human decision-making, not replace it. Where technically feasible, findings are accompanied by the specific source passage that supports them, and reviewers can examine the evidence and choose to agree, amend, or override any output.
How are AI compliance decisions made auditable?
Every AI-generated compliance outcome is logged with the source document evidence, the specific rules applied, the reasoning behind the decision, and a timestamp — making every finding traceable and defensible for FCA, FOS, or PI insurer review.
What happens in the event of a security incident?
Curvestone operates a formal Incident Management Policy covering detection, triage, containment, investigation, recovery, and post-incident review. We are accountable for notifying affected clients, relevant regulators, and data subjects of incidents affecting personal data within the timeframes required by UK/EU GDPR and applicable contract terms.
How do you vet your suppliers and AI providers?
All sub-processors and SaaS vendors are assessed before onboarding through our third-party due diligence process and are required to hold recognised security certifications, typically ISO 27001 and/or SOC 2. AI model providers are assessed through the same process, with SOC 2 reports, ISO 27001 certificates, and system cards retained and reviewed annually.
Does Curvestone have business continuity and disaster recovery plans?
Yes. Business Continuity and Disaster Recovery Plans are in place and tested at least annually. Production runs across multiple availability zones, all production data is backed up with defined Recovery Point and Recovery Time Objectives, and our multi-LLM architecture provides resilience against single-provider outages.
Questions about security? Contact our security team.
Need the documentation?
We share our ISO 27001 certificate, penetration test summaries, Data Processing Agreements, and completed security questionnaires directly with your security or procurement team.