Trust Centre

Security, compliance and responsible AI — evidenced

Mastercopy has looked after businesses across the UK since 1989. This is where we set out, in one place, how we protect the information our customers entrust to us — our certifications, security practices, data-protection position, AI governance and sub-processors.

✦ ISO/IEC 27001

✦ ISO 9001

✦ Cyber Essentials

✦ UK GDPR · ICO ZB864771

✦ Documented AI governance

Maintained by Mastercopy Limited · Last updated 17 June 2026 · For due-diligence enquiries see Contact

Quick answers

Answers to common due-diligence questions

Certifications

ISO 27001, ISO 9001, Cyber Essentials

Data Protection & Privacy

UK GDPR, DPA 2018, ICO registration

Sub-Processors

AI providers, hosting and tooling

AI Governance

AISMS, ethics policy, no-training

Security Practices

Encryption, access, hosting, logging

Secure Development

SDLC, peer review, patching

Incident Response

Reporting, escalation, breach process

Policies & Documents

Available publicly or on request

Contact

Security & data-protection enquiries

Independently certified

Certifications & compliance

Our management systems are independently audited and certified. Certificates are available for verification on request.

ISO/IEC 27001

Information Security · 2022

Certified by PJR (UKAS Management Systems 0105).

ISO 9001

Quality Management · 2015

Certified by Citation · Certificate 62782000.

Cyber Essentials

UK Government scheme

Verifiable via the IASME / Blockmark certificate registry.

Microsoft Partner

Accredited

Microsoft 365 & security ecosystem.

HP Amplify Partner

Authorised

HP devices protected by HP Wolf Security.

37 years

Established 1989

Family-run, owner-operated, UK-based.

Privacy by design

Data protection & privacy

Mastercopy complies with the UK GDPR and the Data Protection Act 2018, and follows guidance from the Information Commissioner's Office (ICO). We are registered with the ICO under reference ZB864771.

Where we process personal data on a customer's behalf we act as a data processor, on the customer's documented instructions, under a UK GDPR Article 28 data-processing agreement.
A Data Protection Impact Assessment has been completed for the AI processing within DocFlow, following the ICO's seven-step methodology (available on request).
Data-processing agreements, sub-processor information and our security schedule are available to customers as part of contracting.

Public policies: Privacy Policy · Cookie Policy · Terms

Supply chain transparency

Sub-processors

We use a small number of carefully assessed sub-processors to deliver our services. Each is assessed before use and at least annually against our supplier due-diligence criteria (security posture and certifications, data-handling and training commitments, contractual terms, and data residency). Customers are informed of the sub-processors relevant to their deployment.

DocFlow — AI inference

Provider	Purpose	Data handling
Anthropic (default)	Document AI — classification, extraction, summarisation, Aida assistant	Commercial API; customer inputs/outputs not used to train models
OpenAI (optional)	Alternative document-AI provider	Commercial API; not used for model training
Groq (optional)	Alternative inference provider	Commercial API; not used for model training
On-premises (self-hosted)	Optional fully on-premises AI	Zero external egress — inference runs entirely in the customer environment

Platform & infrastructure

Provider	Purpose	Assurance
Established cloud providers	Application hosting, edge/CDN, web application firewall and frontend hosting	Independently certified to ISO/IEC 27001 and/or SOC 2 Type II
Microsoft (365 / Entra ID)	Email, productivity and identity / single sign-on	ISO/IEC 27001, SOC 2

Managed IT (Total Care)

Tooling	Purpose
Microsoft Defender	Endpoint protection for managed devices
Huntress	Managed threat detection and response
Acronis	Backup and recovery

Opting out of third-party AIDocFlow is provider-agnostic and offers a fully on-premises AI option. In that configuration no document content is sent to any third-party AI provider — a complete opt-out while retaining AI functionality.

Responsible AI

AI governance

AI is built into DocFlow and the Aida assistant. We operate a documented AI Management System (AISMS) aligned to ISO/IEC 42001, supported by an AI Ethics Policy and a completed Data Protection Impact Assessment.

No training on customer data. Customer documents are never used to train, fine-tune or improve any AI model — neither globally nor per-tenant.
Human oversight. AI outputs are advisory and reviewable; a person remains accountable, and no consequential action occurs without the opportunity for human review.
Grounded answers. Aida answers from the customer's own documents, not the open web, so responses can be traced to their source.
Transparency & risk management. AI features are inventoried, risk-assessed and impact-assessed; AI incidents are managed through our incident process.
On-premises option. Customers requiring zero external data egress can run DocFlow's AI entirely within their own environment.

Documented frameworkOur AI Governance Framework & AI Management System (AISMS), AI Ethics Policy and DocFlow AI DPIA are available to customers, prospects and auditors — see Policies & Documents.

Defence in depth

Security practices

Our security controls operate under our ISO/IEC 27001-certified Information Security Management System and are layered across our platforms and services.

Hosting & infrastructure

Mastercopy does not operate its own physical datacentre. Production services are hosted on established cloud providers independently certified to ISO/IEC 27001 and/or SOC 2 Type II, under a shared-responsibility model. DocFlow is UK-hosted, with a fully on-premises option available.

Technical controls

Encryption. Data encrypted in transit (TLS) and at rest, with application-level AES-256-GCM available for sensitive data.
Access control. Role-based access on a least-privilege basis, multi-factor authentication, and single sign-on via Microsoft Entra ID.
Tenant isolation. Multi-tenant by design — every record is scoped to a tenant and cross-tenant access is prevented at the data layer.
Network. Public traffic fronted by a certified edge with TLS, DDoS protection and a web application firewall; internal traffic uses private networking.
Audit logging. Append-only, tamper-evident audit logging of system and AI activity, retained for 12 months (configurable for regulated clients).
Resilience. Managed-platform automated backups and recovery; multiple independent providers reduce single-supplier dependency.

Built securely

Secure development

Software is built under a documented Secure Development Lifecycle (SDLC) operating within our ISMS, with security and privacy considered from the design stage.

Peer review. Every code change is independently peer-reviewed via pull request before it is merged to production, giving a recorded, auditable approval.
Application security testing (SAST/DAST). Code is scanned in CI by our SecKey harness — static analysis (Semgrep), secret detection (gitleaks) and dependency/configuration scanning (Trivy) gate merges on high-severity findings, with dynamic testing (OWASP ZAP) against deployed applications and results reported to GitHub code scanning.
Separated environments. Development, testing and production are kept separate, with changes deployed through an automated pipeline with rollback.
Dependency management. Third-party dependencies are monitored for known vulnerabilities.
Patching. High-risk and critical security updates are applied within 14 days in line with Cyber Essentials.
Secrets management. Credentials and secrets are held in managed stores, never in source code.

Prepared

Incident response

Security and AI incidents are managed through a defined incident process within our ISMS.

Suspected incidents are reported, logged and triaged for severity and personal-data involvement.
Incidents are escalated by severity, contained and investigated, with corrective actions verified before closure.
Where personal data is involved, our breach process applies, including assessment against the UK GDPR 72-hour threshold for notifying the ICO and affected parties.
AI incidents are integrated into our overall incident response, supported by audit logging.

Evidence

Policies & documents

The following are available to support due diligence. Public policies are linked directly; governance documents are available to customers, prospects and auditors on request (those marked confidential under NDA).

Privacy PolicyHow we handle personal data

Public

Cookie PolicyUse of cookies on our website

Public

TermsTerms of business

Public

AI Governance Framework & AISMSMC-AISMS-001 · ISO/IEC 42001-aligned

On request

AI Ethics PolicyMC-AISMS-002

On request

DocFlow AI DPIAMC-DPIA-AI-001 · confidential

On request

Secure Development Lifecycle PolicyMC-SDLC-001

On request