Data Security

Your Rules. Your Oversight. Our Accountability.

For organisations sharing proprietary data, the terms are explicit. The work is done inside your environment. Data does not leave it.

The structural commitment

Not a list of protocols. A commitment about how the work is built.

The work is done inside your environment. Data does not leave it — not because compliance requires this, but because the engagement should happen inside your world, not imported into ours. That is a structural commitment about what a consulting relationship should look like, not a list of protocols designed to limit liability.

Your IT and security team is involved throughout, not informed after the fact. Every decision about data access, tooling, and process is made with your team present, not presented to them at the end.

🔒
Encrypted in transit
All data stays encrypted across every connection used in the engagement. No exceptions for convenience.
Every connection verified
Before any data connection is established, it is verified against the access permissions your team has approved. Nothing connects without authorisation.
📋
Full action logging
Every action taken during the engagement is logged and visible to your team in real time. There are no background processes your team cannot see.
🚪
Access revocable at any point
Access ends when the engagement ends. It can be revoked by your team at any point during the engagement, without notice, without process, immediately.
🤝
IT team involved throughout
Your IT and security team is a working participant in the engagement from day one, not a stakeholder who is briefed when the work is complete.
🤖
AI tools evaluated before use
Any AI tools used inside the engagement are evaluated for data handling, retention, and training-data policies before use. Tools that train on client data are not used.
Confidentiality

Mutual NDAs. Both directions. From the first conversation.

Mutual NDAs are standard at the start of every commercial conversation. They cover both directions: information shared with The Tenth Floor and information shared by The Tenth Floor. The NDA does not begin when the engagement begins. It begins when the first substantive conversation does.

At the conclusion of an engagement, a client may request that all data be returned and any working copies be deleted. This is confirmed in writing.

Findings & methodology

What we learn inside your engagement stays there.

Findings, methodology, and any intermediate analysis are confidential to the engagement and never reused or referenced in other engagements without explicit written consent.

The investigative work done inside your organisation reflects your data, your context, and your commercial situation. It belongs to your organisation. We do not build a library of client insights that informs other clients’ work.

In plain language

What this looks like in practice.

  • Client data is processed only on infrastructure controlled by The Tenth Floor or by the client. No third-party platforms outside the engagement scope.
  • The work is scoped before any data access begins. Your team approves the scope. Nothing happens outside it.
  • If the engagement requires access to systems your IT team manages, that access is requested through your standard process, not worked around it.
  • At the conclusion of the engagement, a written confirmation is provided that all working copies have been deleted or returned.
  • Questions about data handling at any point in the engagement go directly to the same two leaders running the work, not to a separate compliance function.

Questions about how the work is handled?

The leadership team answers data security questions directly, before any engagement begins.

Let's talk Email directly