How Numen handles your data

Numen AI Agency is a UK-based AI automation business. Clients access an AI assistant ("the platform") at app.numenai.co.uk that runs custom workflows — answering questions, drafting documents, processing tasks — using a knowledge base of documents the client uploads.

Numen processes:

• Knowledge base content — documents the client uploads (policies, procedures, templates, reference material).
• Conversation messages— user prompts and AI responses, stored for the client's own audit trail.
• Account data — client name, email, organisation, billing identifier.
• Operational data(where applicable) — prospect records and outreach history when the client uses Numen's lead-generation workflows.

Numen does not process payment card data (handled by a third-party processor outside the platform) or special category personal data unless the client uploads it as part of their knowledge base.

Client data at rest sits on UK infrastructure. AI inference traffic crosses to the United States under Anthropic's data processing agreement.

Each client organisation has a unique organisation_id. Knowledge base documents, conversations, and operational records are tagged with that ID at write time.

Read access is enforced at the database layer using PostgreSQL Row-Level Security (RLS) policies. A client authenticated to Organisation A cannot query rows belonging to Organisation B, even if they construct the request manually — the database itself rejects the read. This is a stronger guarantee than application-layer permission checks alone.

Write operations are validated at the API layer against the authenticated client's organisation_id, with database-level write policies on the roadmap for Q2 2026.

Numen relies on the following sub-processors. Each has signed a Data Processing Agreement (DPA) with Numen or operates under terms that are GDPR-compliant by default. Client data flowing to each is listed below.

This list is reviewed quarterly. Material changes are notified to clients in writing.

• In transit: All HTTP traffic uses TLS 1.2 or higher. The custom domains (numenai.co.uk, app.numenai.co.uk) are served over HTTPS exclusively.
• At rest: Supabase databases run on AWS EBS volumes with full-disk encryption (AES-256). Backups are encrypted in the same posture.
• Secrets: API keys and credentials are stored as Vercel environment variables (not in source code) and accessed only by server-side application code.

Column-level encryption for sensitive knowledge base content is on the roadmap for clients in regulated sectors (legal, financial, healthcare).

• Client authentication: JWT-based sessions managed by Supabase Auth, stored in HTTP-only secure cookies. No tokens are stored in browser localStorage.
• Session expiry: Configurable per organisation, default 7 days inactive.
• Role separation: Within a client organisation, two roles are supported — admin (manages knowledge base + invites users) and member (uses the AI assistant only).
• Operator access (Numen staff): Numen operators (the team running the agency) have administrative read access to client knowledge bases for the purpose of building, maintaining, and supporting client workflows. This is a structural feature of the done-with-you delivery model, not an oversight. Audit logging for operator access is on the roadmap for Q2 2026.

• Active client data — retained for the duration of the engagement plus 30 days after termination, after which all client knowledge base content, conversations, and operational data are deleted.
• Anthropic-side processing — content sent to Anthropic for inference is retained by Anthropic for 30 days under their default API retention policy and is not used for model training.
• Backups — Supabase performs daily encrypted backups with 7-day retention.
• Logs (Sentry, PostHog) — error and analytics data retained for 30 days.

Clients can request deletion of their data at any time by emailing security@numenai.co.uk. Numen processes deletion requests within 30 days of receipt, in line with UK GDPR Article 17. Deletion covers:

• Knowledge base documents
• Conversation history
• Operational records (prospects, outreach history, value events)
• Account records (after the engagement is closed)

A self-service deletion endpoint and audit-trail receipt is on the roadmap for Q2 2026. Until that ships, deletions are processed manually by the data controller (Raj Dhillon) and a written confirmation is sent.

In the event of a confirmed data breach affecting client data, Numen will:

1. Notify the affected client(s) within 72 hours of confirmation, in line with UK GDPR Article 33.
2. Provide a written summary of the incident scope, the data affected, the remediation taken, and any recommended actions for the client.
3. Cooperate with the Information Commissioner's Office (ICO) where the threshold for regulator notification is met.

Numen has not experienced a notifiable data breach to date (last reviewed: 2026-04-27).

• UK GDPR / Data Protection Act 2018 — Numen is a data processor on behalf of clients for client-uploaded knowledge base content; a data controller for prospect records generated by Numen's own outbound workflows.
• ICO registration — Numen is registered with the ICO as a data controller (registration confirmation available on request).
• Standards — Numen does not currently hold ISO 27001 or SOC 2 certification. Both are on the roadmap once the agency reaches sufficient scale to justify the audit cost.
• DPA with clients — Numen signs a Data Processing Agreement with every client. A current template is available on request from security@numenai.co.uk.

To make due diligence efficient, here are the questions clients should ask — and where the answer lives:

• Security and data protection: security@numenai.co.uk
• General contact: raj@numenai.co.uk
• Phone: +44 7799 654111

For a security questionnaire response, DPA copy, or to report a vulnerability, email security@numenai.co.uk and a response will be sent within two working days.