Skip to main content
Client Engine
Security & Trust

Built to be trusted, not just used.

A UK company, regulated by the ICO, processing your data under UK GDPR. Every sub-processor named, every transfer documented, every right protected.

Built & operated from

United Kingdom

Compliant with

UK GDPR

ICO Registered

No. ZC045226

Sub-processors

Fully disclosed

UK-controlled

Built and operated from the UK. Always.

Webcite Technology Systems Ltd is a UK company, registered with Companies House, and regulated by the UK ICO. All processing decisions, contracts, and data subject rights sit under UK law — no matter which sub-processor handles a given workload.

  • Controller

    Webcite Technology Systems Ltd · UK

  • Governing law

    England & Wales

  • International transfers

    UK IDTA · EU SCCs · UK extension to EU-US Data Privacy Framework

  • Regulator

    UK Information Commissioner's Office

Encryption everywhere

Everything you send to and from Client Engine is encrypted in transit and at rest. No plaintext passwords. No exposed databases.

  • TLS 1.2+ in transit
  • Encryption at rest on production database and storage
  • Passwords stored with industry-standard hashing
  • Database not exposed to public internet

Access controls

Role-based access inside the platform. Multi-factor authentication on production infrastructure. Least-privilege principle applied across the board.

  • Role-based access control per workspace
  • MFA on all administrative access
  • Approval flows before sequences leave the platform
  • Full audit trail on sensitive actions

Breach response

If something goes wrong, you'll know within 72 hours. We have a documented incident response procedure that meets UK GDPR requirements.

  • 72-hour Customer notification commitment
  • ICO notification where required
  • Documented response runbook
  • Post-incident review and remediation

Your rights

Under UK GDPR you can access, correct, export, or delete your data. Email info@webcite.ai and we'll respond within one month.

  • Access your data on request
  • Rectify, restrict or erase data
  • Data portability
  • Lodge complaints with the UK ICO

Data retention

We hold your data only as long as it serves you, your legal obligations, or fraud prevention. Workspaces and prospect data are deleted within 30 days of termination.

  • Account data: life of account + 12 months
  • Prospect data: deleted within 30 days of workspace deletion
  • Usage logs: 12 months
  • Billing records: 7 years (UK statutory)

Backups & resilience

Automated daily database backups with documented retention and tested restore. Production traffic restricted via firewall rules. Monitoring on anomalous events.

  • Automated daily backups
  • Tested restore procedures
  • Production firewall rules
  • Application + infrastructure logging

Sub-processors

Every partner we use, named and listed.

We're transparent about who processes data on our behalf. Each sub-processor is bound by a written contract with security obligations equivalent to ours, and every international transfer relies on a UK-compliant transfer mechanism.

Sub-processorPurposeRegion
Anthropic, PBCLLM inference (signal detection, ICP, sequences)USA
OpenAI, LLCLLM inference (fallback / enrichment)USA
Moonshot AI (Kimi)LLM inferenceChina / Singapore
Apollo.ioProspect data and enrichmentUSA
Exa Labs, Inc.Web signal searchUSA
ManyReachEmail sequencing infrastructureUSA
ResendTransactional and marketing emailUSA
Clerk, Inc.User authenticationUSA
Stripe Payments Europe LtdPayment processing and subscriptionsIreland / USA
Railway Corp.Application hostingUSA
Railway PostgresDatabase hostingUSA

International transfers rely on UK adequacy regulations, the UK IDTA, EU SCCs, or the UK extension to the EU-US Data Privacy Framework as applicable.

Read the full documents.

Procurement teams: everything you need is here. No request form. No NDA before reading.

Privacy Policy

How we collect, use, store and protect personal data.

Data Processing Agreement

Standard DPA with Annex A (security measures) and Annex B (sub-processors).

Need a signed DPA, security questionnaire response, or vendor due diligence info? Email us — we respond within one business day.

info@webcite.ai →