Once received, your data never touches the internet. We do not collect analytics, deploy tracking technologies, or use third-party processors in connection with client data. No client personal data or biometric reference material is processed by external AI services, cloud platforms, or software-as-a-service providers at any stage of the engagement lifecycle.
What we hold
We hold only the personal data provided directly through the secure enquiry process or in the course of an engagement. We do not supplement it with data obtained from third parties. Where biometric reference data is collected as part of a principal protection engagement, it is classified separately and subject to enhanced handling controls throughout its lifecycle.
Where it is held
Client data and evidence collected on a client’s behalf are held in physically isolated infrastructure segregated from our commercial systems, monitoring environment, and all external networks. This separation is enforced at the hardware level, not solely by software or network configuration. Infrastructure is located in jurisdictions consistent with the confidentiality obligations of the engagement and any applicable data sovereignty requirements.
How it is protected
Once received into our secure environment, client data, and biometric reference data in particular, is held in infrastructure with no external network connection of any kind. This separation is physically enforced and cannot be modified, bypassed, or overridden remotely. Where data must move between operational systems, transfer is controlled by hardware-enforced unidirectional mechanisms. In practical terms, client data cannot be extracted from the secure environment through a network-based attack. All AI processing of client personal data and biometric reference material is performed exclusively on company-owned, physically isolated hardware. Where AI tools are used in the threat monitoring environment, they operate only on anonymised references and public open-source content. Principal identities, biometric data, and engagement-specific client data are never exposed to external AI systems.
Who has access
Access is limited to personnel with a direct operational requirement within the engagement. It is not granted by seniority or general authorisation. Client identity is not disclosed across engagements or to support functions unless operationally required. Within the technical environment, clients are referenced by internal designators; real identity is resolved only by authorised personnel under dual-authorisation controls when operationally necessary.
Retention
Engagement data is retained only for the period necessary to fulfil our obligations under the engagement, or for any longer period required by law or legal hold. At the end of that period, destruction is documented and confirmed in writing. Where data is held on physical media, destruction is carried out in accordance with NIST SP 800-88. Certificates of destruction are available on request.
Your rights
Where applicable law provides rights of access, rectification, erasure, or portability, those rights may be exercised by writing to secure@custodire.ai. Requests are handled under NDA and answered within the period required by the applicable legal framework. Because our infrastructure is intentionally isolated, subject access requests are fulfilled through a controlled manual process. Automated external access to client data is not permitted by the architecture.
Enquiries
secure@custodire.ai
Custodire AI Ltd is registered in England and Wales. This statement was last reviewed in March 2026.