Data Security.
Your data and privacy is protected with certified controls, accredited infrastructure and contractual commitments designed for the regimes our customers operate under.
Real accreditations. Independently verified.
Cyber Essentials
Measurelab is Cyber Essentials accredited under the UK government's NCSC scheme. The five technical controls (firewalls, secure configuration, user access control, malware protection, security update management) are independently verified against our IT estate and renewed annually.
Google Cloud Partner
SEAM is hosted entirely on Google Cloud, whose underlying platform holds SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 and ISO 27701. Those controls apply to every layer beneath SEAM. As a Google Cloud Partner, we operate within Google's recommended architecture for workload isolation and tenancy.
UK ICO registered
Measurelab is registered with the UK Information Commissioner's Office as a data controller and processor under registration number ZA477778. We operate to UK GDPR and EU GDPR standards in all customer engagements.
UK-based by default. Region of choice for SEAM Cloud.
Measurelab is based in the United Kingdom and any processing we carry out directly is UK-based. SEAM Cloud customer instances are deployed to the Google Cloud region you choose at onboarding; UK and EU regions are the default for our British and European customers.
In transit
All traffic to and from SEAM is encrypted in transit using TLS 1.2 or higher. HSTS is enforced. Internal Google Cloud traffic between SEAM components is encrypted using Google's automatic service-to-service encryption.
At rest
All persistent storage (Firestore, Cloud Storage, BigQuery) is encrypted using AES-256 with Google-managed keys by default. Customer-managed encryption keys (CMEK) are available for engagements that require key custody.
Backups
Configuration and definition data is backed up via Google Cloud's regional and multi-regional replication. Backup retention is governed by the customer's deployment configuration and documented in the engagement DPA.
Deletion
On termination of an engagement, customer data is removed from active systems within 30 days and from backups in line with Google Cloud's retention windows.
Least privilege, MFA-mandatory, logged, reviewed.
Authentication and IAM
Per-user OAuth via Google, Microsoft or your own identity provider. MFA is mandatory. Role-based access by default; cloud resources governed by Google Cloud IAM under least privilege.
Internal Measurelab access
Customer environments are accessible only to named engineers on the engagement, least privilege, logged and reviewed. Mark Rochefort (Company Director) is our CISO.
Endpoint security
Every Measurelab device runs CyberSmart Active Protect: enforced passwords, automatic patching, whole-disk encryption, anti-malware, screen lock. This is the baseline that maintains our Cyber Essentials accreditation.
Audit trail by default
Every agent action through SEAM produces a governance record - the question asked, the definition that resolved, the source consulted, the user, the timestamp. The record describes the governance event, not the underlying data the agent saw. The log is held encrypted in BigQuery under Google Cloud IAM, with all access logged. Audit reporting is delivered to the customer as part of the engagement.
We build SEAM for the regulations coming next.
UK GDPR & EU GDPR
A Data Processing Agreement is signed with every customer before data enters SEAM. The DPA covers controller and processor obligations, sub-processor approvals, international data transfer mechanisms (Standard Contractual Clauses where applicable), data subject rights handling and breach notification within the 72-hour GDPR timeframe.
EU AI Act
SEAM produces by default the artefacts the AI Act asks for: an inventory of agent actions, traceable data flows and a complete audit trail. Customers operating high-risk AI systems can use SEAM's outputs as evidence of the controls the regulation expects.
Sector-specific regimes
For customers in regulated sectors (financial services, healthcare, education, public sector) we work to the additional requirements of FCA, ICO sector guidance, the Department for Education and the NHS Digital Technology Assessment Criteria where they apply. Specific controls and evidence packs are scoped during the engagement.
ISO 42001 (AI management)
SEAM's governance and audit design is informed by ISO 42001's control framework for AI management systems. The audit trail SEAM produces by default supports the kinds of evidence the standard expects.
Approved, contracted, kept current.
We rely on a small set of sub-processors for hosting, productivity, communication, project management and AI assistance. Each is bound by its own Data Processing Agreement with Measurelab and approved as part of the customer DPA. The current list is included in our standard DPA, available on request, and customers are notified of any change before it takes effect.
Documented and customer-first.
We operate a documented Security Incident Management Policy with defined roles, severity classification and a structured response from triage through to post-incident review. Affected customers are notified of confirmed incidents alongside remediation; for personal-data breaches, the ICO is notified within the seventy-two-hour window UK and EU GDPR require.
Documented, reviewed annually, available on request.
The controls described on this page are codified in a written policy library that's reviewed at least annually. Each policy is shared with prospective customers under NDA on request.
IT Security Policy
Information classification, access controls, device security, password and credential handling.
Cloud Security Policy
Encryption, IAM, network security, monitoring and vulnerability management for our cloud estate.
Data Policy
How we collect, process, retain and protect personal data, including data subject rights handling.
Communication Security Policy
Encrypted channels, MFA, recipient verification, secure file transfer and disposal.
Security Incident Management Policy
Roles, classification, triage, response, containment, recovery and post-incident review.
AI Acceptable Use Policy
How Measurelab staff use AI tools with client data: approved tools, verification, no autonomous writes.
Business Continuity Plan
Maintaining critical operations during disruption: communications, infrastructure, recovery testing.
Privacy Policy Notice
Public privacy notice covering website data, cookies and data subject rights. Available on the Measurelab site →
Talk to us.
For DPA requests, security questionnaires, sub-processor change notifications and breach reports, email hello@measurelab.co.uk. For data subject access, correction, erasure or portability requests, email legal@measurelab.co.uk. We respond within one working day.