A plain-English account of where your data lives, who can reach it, how the AI handles your drawings, and how you get everything back. Built and run by a working machine shop — so this is the same security we trust with our own jobs.
We're a UK company, early in our journey, and we'd rather be straight with you than oversell. We do not yet hold ISO 27001 or SOC 2 — and we won't pretend otherwise. What we do have are the real, day-one controls below: every customer's data is isolated at the database, secrets never touch your browser, hosting is UK/EU, and your records are yours to export at any time.
If there's a control you need that we don't have yet, we'll tell you — not paper over it. We're happy to complete your vendor security questionnaire and sign a data-processing agreement (DPA).
Your shop's data sits in managed PostgreSQL on Supabase. The core platform (jobs, quality, time, sales, inventory) is hosted in the UK — London; the AI quoting module is hosted in the EU — Frankfurt. The apps you use in the browser are served over a global CDN (Netlify). All traffic is encrypted in transit (TLS), and data is encrypted at rest by the hosting platform.
The boundary between your data and everyone else's is enforced by the database itself — not by a screen filter that could be bypassed. Every record carries your tenant identity, and the database refuses to return another tenant's rows. This is called row-level security, and it's the actual security wall.
The AI quoting module (DASQuote) reads an uploaded drawing to draft an estimate. To do that, your drawing is sent to Google (Gemini) and Anthropic (Claude) — the commercial AI services that power the read. We deliberately use two and cross-check them, because a second opinion catches more than one model alone.
Because your drawing leaves to a third-party AI service to be read, DMOS is not suitable for ITAR, export-controlled, or NDA-restricted drawings. Do not put controlled work through the AI quoter. For ordinary commercial work this is standard practice; for controlled work, we are not the right tool, and we'll say so.
No API keys, passwords, or secrets ever ship in the browser app or sit in our source code. Provider credentials live in managed secret stores (encrypted secret vaults), reachable only by the small server-side functions that need them. We run an automated secret scan, with a commit-time check that blocks any secret from slipping into version control.
Fair question, asked plainly. The honest answer: this platform runs a real, working machine shop every day — it's load-bearing for an operation of 10+ people, so it isn't going anywhere quietly. And because your data is yours to export at any time, you're protected regardless.
We use a small, deliberate set of trusted providers. Here's the full list and what each one does:
| Provider | What they do | Region |
|---|---|---|
| Supabase | Database, sign-in, file storage, server functions | UK (London) / EU (Frankfurt) |
| Netlify | Serves the web apps (hosting / CDN) | Global CDN |
| Google — Gemini | AI reading of drawings (quoting module) | US-served API |
| Anthropic — Claude | AI reading / cross-check of drawings (quoting module) | US-served API |
| Resend | Sign-in & invitation emails | Email delivery |
| Sentry | Error monitoring | Error reports only |
| Xero | Accounting sync — only if you choose to connect it | Per-tenant, opt-in |
We do not currently hold ISO 27001 or SOC 2. As a UK-focused company, Cyber Essentials (the UK National Cyber Security Centre scheme) is our planned first certification. We already follow the controls behind it — tenant isolation, least-privilege access, server-side secrets, encrypted transport, and audit logging — and we're glad to walk your team through any of them.
Send us your security questionnaire and we'll complete it straight. If a certification is a hard requirement for you today, tell us — we'd rather scope that honestly than win on a promise we can't keep yet.
Questions on any of this — or something you need that isn't here yet? Email me directly and you'll get a straight answer.
Morgan Dalloway Founder, Dalloway Advanced Systems · morgan@dalloways.com