Book a call

Production-Grade AI for Regulated Industries

We design, deploy and operate production AI systems for insurers, retailers and the UK public sector. Self-hosted or air-gapped, with traceable decisions and ISO/IEC 27001:2022 aligned engineering practice.

Book a Demo See AI Use Cases →
Deployments
Self-hosted.
Private VPC or fully air-gapped.
Practice
ISO 27001 : 2022
Aligned. Cyber Essentials ready.
Delivery
Fixed-price.
Eight-week pilot, measurable exit.
01 · Practice

Six disciplines. One engineering org. Zero vendor lock-in.

We run the whole lifecycle, from governance and scoping to 24/7 runbooks, inside your stack, behind your firewall.

01

Strategy & governance

Map use cases to measurable business value. Define risk tiers, approval workflows, and a rollout your CISO will actually sign off.

  • Use-case portfolio scoringSCOPE
  • EU AI Act risk classificationPOLICY
  • Explainability & bias frameworkFRAME
Learn more →
02

Retrieval that cites itself

Hybrid retrieval, cross-encoder reranking, tool-grounded reasoning. Every answer carries source citations.

  • Layout-aware extractionINGEST
  • Semantic diff across policy versionsDIFF
  • Privilege-aware access controlsRBAC
Learn more →
03

Tuning, evals, canaries

Golden datasets, RAGAS in CI, canary deploys with automatic rollback on quality regression. Your evaluation harness becomes the source of truth.

  • Faithfulness & context precisionEVAL
  • Jailbreak and injection red-teamingRED
  • SLO-enforced rollbackSLO
Learn more →
04

Audit-grade data pipes

ETL and ELT with change-data-capture lineage. PII redaction at ingest. Retention policies enforced as code.

  • Column-level lineage & provenanceLINE
  • GDPR Art. 28 processor postureGDPR
  • HSM-managed key materialHSM
Learn more →
05

Air-gapped inference

vLLM and SGLang on Kubernetes, integrated with your IdP (OIDC / SAML), RBAC, VPC isolation. Offline model updates for air-gapped estates.

  • GPU pooling & autoscalingK8S
  • Token-level usage attributionMETER
  • Zero cross-border data egressDENY
Learn more →
06

24/7 runbook

Observability, drift detection, incident response and on-call. We carry the pager so your team can ship.

  • OpenTelemetry tracing end-to-endOTEL
  • Human-in-the-loop escalationHITL
  • Tamper-evident incident ledgerLEDGER
Learn more →
02 · Compliance

Your auditors won't have questions. We've already answered them.

Every engagement ships with a dossier: statement of applicability, DPIA, threat model, and a signed handover package.

Engineering practice aligned to ISO/IEC 27001:2022.

Access management, encryption, incident response, change management, and supplier risk, codified as controls, enforced as pipelines, evidenced as logs. We support Cyber Essentials readiness for UK government contracts, and map our controls to NIST CSF 2.0, SOC 2 TSC and FCA SYSC where required.

ISO 27001 : 2022 · aligned
Cyber Essentials · ready
GDPR Art. 28 · processor
NIST CSF 2.0 · mapped
SOC 2 · TSC · mapped
FCA SYSC · operable
Controls matrixAnnex A mapping
A.5.15Access controlIdP (OIDC / SAML), role-based, least privilegeIN PLACE
A.8.24CryptographyAES-256 at rest, TLS 1.3 in transit, HSM-managed keysIN PLACE
A.8.32Change managementCode review, CI gates, signed releasesIN PLACE
A.5.26Incident responseOn-call rota, postmortems, lessons-learnedIN PLACE
A.5.19Supplier relationshipsSBOM, vendor risk registerIN PLACE
A.8.16MonitoringCentralised logging, drift and quality alertingIN PLACE
A.5.34Privacy & PIIDPIA per engagement, GDPR Art. 28 postureIN PLACE
03 · Fieldwork

Systems we've shipped behind other people's firewalls.

Details anonymised. Numbers verified. Architecture diagrams and SoWs available under NDA.

Case 01 / BFSISelf-hosted · agentic

AI analyst agents for a global fintech.

Analyst time
−40%
Audit trail
Signed
Egress
0 B
Case 02 / Financial servicesOn-prem · MiFID II

Secure ETL for T+1 regulatory reporting.

Manual effort
−60%
Reliability
99.9%
Audit coverage
100%
Case 03 / UK grocerEdge CV · GDPR

Edge planogram vision for food retail.

Detection mAP
96.2%
Inference
45 FPS
Imagery
On-device
Case 04 / InsuranceAir-gapped · GDPR Art. 28

An air-gapped LLM assistant for claims handlers.

Manual load
−80%
Citations
100%
Egress
0 B
04 · Process

A fixed-price pilot. A measurable outcome. An exit clause.

Eight-week default. We ship production before month three or the final milestone isn't billed.

01
Week 1 to 2 · Scope

Threat model and golden set

We sit with your risk, security and product teams. Map use cases, score for EU AI Act tier, and build the evaluation dataset every future change is measured against.

Delivers · DPIA, SoA, golden eval
02
Week 3 to 4 · Prototype

Thin slice, in your VPC

A working end-to-end path deployed inside your network, real auth, real data classes, real retrieval. No toy demos, no shared notebooks.

Delivers · vertical slice, RAGAS baseline
03
Week 5 to 6 · Harden

Red-team, rollback, runbook

Prompt injection tests, jailbreak suite, SLO definitions, canary with auto-rollback. We write the runbook your on-call will actually read at 3am.

Delivers · incident ledger, SLO dashboards
04
Week 7 to 8 · Ship

Production and handover

Cutover to full traffic, knowledge transfer to your team, and the engineering dossier every internal audit wants to see.

Delivers · prod traffic, signed post-mortem
05 · Questions

The things your CISO will ask in the first meeting.

Click to expand. Technical appendix available under NDA.

01

Can you deploy self-hosted, on-prem, or in our private cloud?

Yes. Self-hosted, private cloud (AWS, Azure, GCP VPC), or fully air-gapped. Kubernetes with vLLM or SGLang for serving, integrated with your IdP (OIDC or SAML), RBAC, and VPC isolation. Air-gapped estates run on offline model updates we co-sign with your security team.
02

How do you handle data residency and sovereignty?

Self-hosted infrastructure gives you inherent data sovereignty; your data never leaves your network. Cross-border egress is denied by default, which eliminates transfer risk and foreign-jurisdiction data requests by design, not by policy alone.
03

How do you ensure AI governance and explainability?

Every decision is logged with an immutable trail: input context, reasoning steps, retrieved sources, output rationale. High-stakes decisions escalate to human-in-the-loop. We run bias monitoring in CI and version every deployment with documented rollback.
04

How do you reduce hallucinations?

Hybrid retrieval (dense plus sparse), cross-encoder reranking, and tool or database grounding anchor every response in your authoritative data. Faithfulness is measured per response via RAGAS and gated in CI.
05

Who owns the IP?

You do. All code, prompts, evals, and fine-tuned weights developed under the SoW are delivered to you under a perpetual, irrevocable license. We retain rights only to the underlying generic frameworks that predate the engagement.
06

What happens when the engagement ends?

Full handover: architecture, SoA, DPIA, runbooks, postmortems, signed SBOM, and a two-day in-person knowledge transfer with your team. Your engineers should be able to keep the pager after we leave; if they can't, we haven't finished.
06 · Engage

Put your next agentic system in production, properly.

Pilot scope in a 30-minute call. Engineering discovery memo within five working days. A go or no-go on week two. No slide decks.

Send a message or schedule a call