← Back to dallowaysystems.com Dalloway Advanced Systems

How we look after your data.

A plain-English account of where your data lives, who can reach it, how the AI handles your drawings, and how you get everything back. Built and run by a working machine shop — so this is the same security we trust with our own jobs.

Security statement · v1 · June 2026

1 The short version

We're a UK company, early in our journey, and we'd rather be straight with you than oversell. We do not yet hold ISO 27001 or SOC 2 — and we won't pretend otherwise. What we do have are the real, day-one controls below: every customer's data is isolated at the database, secrets never touch your browser, hosting is UK/EU, and your records are yours to export at any time.

Our promise

If there's a control you need that we don't have yet, we'll tell you — not paper over it. We're happy to complete your vendor security questionnaire and sign a data-processing agreement (DPA).

2 Where your data lives

UK & EU
Hosting region
Per-tenant isolation
At the database
Encrypted
In transit & at rest
Yours to export
Any time

Your shop's data sits in managed PostgreSQL on Supabase. The core platform (jobs, quality, time, sales, inventory) is hosted in the UK — London; the AI quoting module is hosted in the EU — Frankfurt. The apps you use in the browser are served over a global CDN (Netlify). All traffic is encrypted in transit (TLS), and data is encrypted at rest by the hosting platform.

3 Who can see your data

The boundary between your data and everyone else's is enforced by the database itself — not by a screen filter that could be bypassed. Every record carries your tenant identity, and the database refuses to return another tenant's rows. This is called row-level security, and it's the actual security wall.

Access controls
  • Authenticated access only — Google sign-in, email + password, or a one-time magic link. Public self-signup is switched off.
  • Row-level security on every table — your tenant only ever sees its own rows, enforced at the database.
  • No shared-tenant back door — there's no "see everything" bypass baked into the data rules; support access is scoped and deliberate.
  • Every change is logged — an append-only audit trail records who changed what, and when.

4 How the AI handles your drawings

The AI quoting module (DASQuote) reads an uploaded drawing to draft an estimate. To do that, your drawing is sent to Google (Gemini) and Anthropic (Claude) — the commercial AI services that power the read. We deliberately use two and cross-check them, because a second opinion catches more than one model alone.

What protects that flow
  • Keys are server-side — the credentials that call those AI services never appear in your browser or our source code.
  • Authenticated, capped, rate-limited — every AI call is tied to a signed-in user with per-user spend caps, so cost and access stay controlled.
  • No training on your data — under Google's and Anthropic's commercial API terms, neither provider trains its models on what you send.

An honest limit — please read

Because your drawing leaves to a third-party AI service to be read, DMOS is not suitable for ITAR, export-controlled, or NDA-restricted drawings. Do not put controlled work through the AI quoter. For ordinary commercial work this is standard practice; for controlled work, we are not the right tool, and we'll say so.

5 Secrets & credentials

No API keys, passwords, or secrets ever ship in the browser app or sit in our source code. Provider credentials live in managed secret stores (encrypted secret vaults), reachable only by the small server-side functions that need them. We run an automated secret scan, with a commit-time check that blocks any secret from slipping into version control.

6 Backups, continuity & getting your data back

"You're a small company — what if you disappear?"

Fair question, asked plainly. The honest answer: this platform runs a real, working machine shop every day — it's load-bearing for an operation of 10+ people, so it isn't going anywhere quietly. And because your data is yours to export at any time, you're protected regardless.

7 Who else touches the data (sub-processors)

We use a small, deliberate set of trusted providers. Here's the full list and what each one does:

ProviderWhat they doRegion
SupabaseDatabase, sign-in, file storage, server functionsUK (London) / EU (Frankfurt)
NetlifyServes the web apps (hosting / CDN)Global CDN
Google — GeminiAI reading of drawings (quoting module)US-served API
Anthropic — ClaudeAI reading / cross-check of drawings (quoting module)US-served API
ResendSign-in & invitation emailsEmail delivery
SentryError monitoringError reports only
XeroAccounting sync — only if you choose to connect itPer-tenant, opt-in

8 Certifications — where we are, honestly

We do not currently hold ISO 27001 or SOC 2. As a UK-focused company, Cyber Essentials (the UK National Cyber Security Centre scheme) is our planned first certification. We already follow the controls behind it — tenant isolation, least-privilege access, server-side secrets, encrypted transport, and audit logging — and we're glad to walk your team through any of them.

Vendor reviews welcome

Send us your security questionnaire and we'll complete it straight. If a certification is a hard requirement for you today, tell us — we'd rather scope that honestly than win on a promise we can't keep yet.

9 Data protection (UK GDPR)

Questions on any of this — or something you need that isn't here yet? Email me directly and you'll get a straight answer.

Morgan Dalloway Founder, Dalloway Advanced Systems · morgan@dalloways.com
This statement is kept current as our controls evolve. Last updated June 2026.