Skip to content
Skip to content
Workflow Alpha
Security

Security as a practice.

A pragmatic summary of how we work. We don't claim certifications we don't hold — we do the things underneath them, every day.

Last updated
April 2026
Studio
London · Remote

Client data handling

Engagements happen inside your environments wherever possible — your repositories, your cloud accounts, your data warehouse. When a sandbox outside your perimeter is unavoidable (e.g. early prototyping), we use synthetic or de-identified data and tear it down on completion.

Least-privilege access

Every team member operates with the smallest credential set required for the work in front of them. Access is scoped per-project, time-bound, and revoked at engagement end. No shared accounts. No long-lived service credentials sitting in laptops.

Environment separation

Development, staging, and production are kept distinct — separate credentials, separate datasets, separate model endpoints. Prompts, evals, and tool wiring move between environments via reviewed pull requests, never by hand.

Observability & auditability

Every production AI system we ship is instrumented from day one: structured logs, request traces, eval scores, and tool-call records. You get a single pane of glass to answer "what did the agent do, when, and why" — including for compliance and incident review.

Evaluation & monitoring

We write evals before we write features. Production systems run a continuously-updated eval suite against real traffic samples, with regression alerts when accuracy, latency, or unsafe-output rates drift. Models and prompts are versioned; rollbacks are one command.

Human review & escalation

Agentic systems reach out for a human when confidence is low, when an action is irreversible, or when policy demands it. Escalation paths, approver roles, and SLAs are part of the system design — not bolted on after launch.

Secrets & credentials

Secrets live in your secret manager, never in our laptops, repos, prompt templates, or chat logs. Model API keys are scoped per-project and rotated on a schedule. We support BYOK for foundation models where you require it.

Vendors & subprocessors

We use a small, considered set of tools to run the studio (e.g. cloud hosting, source control, documentation). We can share the current subprocessor list and DPA terms on request — typically as part of an enterprise procurement pack.

Incident response

If we identify a security issue affecting your systems or data, you'll hear from a senior partner within 24 hours, with a written summary covering scope, root cause, and remediation. We don't outsource the first call.

Reporting an issue

Found something concerning on this site or in work we've delivered for you? Email hello@workflowalpha.co with "Security" in the subject. We acknowledge within one business day.

Workflow Alpha is a trading name. This page reflects current practice and is reviewed periodically. For enterprise procurement, supplementary documentation is available on request — email hello@workflowalpha.co.

PrivacyTermsSecurityContact →