How Lazyleaf operates inside regulated environments.

Cyber Essentials certification. UK NCSC scheme; certified by IASME via CyberSecure365. Certificate number d07654ea-c0c0-4883-98ba-2136af99b2f4. Profile version 3.2 (Willow). Scope: whole organisation. Issued 24 April 2026; recertification due 24 April 2027.

Public liability insurance. Cover up to £1,000,000. Underwritten via Simply Business (Xbridge Limited), policy CHPR5531598XB, in force 1 May 2026 to 30 April 2027.

Professional indemnity insurance. Cover up to £1,000,000. Same policy and term as above. Where a specific engagement requires higher PI cover than the standing policy, additional cover is arranged at engagement start.

Companies House registration. Lazyleaf LTD, registered in England and Wales. Registered office: 21 Albion Terrace, Sewardstone Road, London E4 7SB. Company number 11607411.

ICO data protection registration. Reference available on request from [email protected].

Data classification. We classify data received from clients into three tiers: confidential (default for any client business data), restricted (regulated personal data, financial records, identifying information about individuals), and public. Confidential and restricted data is subject to the controls below.

Storage and encryption. Client data is stored by default in AWS regions eu-west-1 (Ireland) and eu-west-2 (London). Alternative regions are available on request and agreement. Data is encrypted at rest using AWS-managed keys (AES-256 minimum) and in transit using TLS 1.2 or higher. Client data is not stored on local engineer machines for periods longer than required for the active task; any working copies are held on devices with full-disk encryption (FileVault or BitLocker).

Retention and deletion. Default retention of client data is the engagement period plus 30 days, after which data is permanently deleted unless a longer retention period is specified by the client in writing. Backup copies are deleted in the next backup cycle (maximum 7 days). On request, we provide written confirmation of deletion within 14 days of completion.

Data segregation. Each client engagement is delivered in an isolated workspace. We do not commingle client data across engagements in any environment.

Access logging. All access to client data is logged at the source-system level (cloud provider audit logs, repository access logs). Logs are retained for 12 months and made available to clients on request for engagements they sponsor.

Model providers. Lazyleaf integrates with model providers including OpenAI, Anthropic, and open-source models hosted via Hugging Face Transformers or self-hosted via local inference. The model provider used in any engagement is agreed with the client in advance and documented in the engagement statement of work.

Training and fine-tuning posture. Lazyleaf does not use client data to train, fine-tune, or otherwise improve foundation models that Lazyleaf does not own or directly control. When an engagement involves fine-tuning a model on client data, the resulting model artefact is the client's property, stored in the client's tenancy or in a Lazyleaf-managed environment under the engagement contract, and is not used for any other client.

Provider data-use agreements. Lazyleaf operates under each model provider's enterprise or API data-use terms. By default, OpenAI API and Anthropic API integrations are configured for the providers' "no training on inputs" settings. We confirm this configuration in writing on engagement start.

Prompt and response logging. During development and operation, prompts sent to model providers and responses received are logged for debugging and quality purposes. Logs are stored in the engagement workspace, encrypted at rest, retained for 90 days by default, and deleted under the same retention regime as other engagement data.

Sensitive data in prompts. Where the engagement involves sending client data to a third-party model provider, the data flow is documented in writing and approved by the client before any production use. We support redaction, tokenisation, and on-premises deployment patterns where the client's data classification policy requires them.

Model documentation. For any AI system Lazyleaf delivers to a client, we provide model documentation covering intended use, training data sources (where applicable), evaluation methodology, known limitations, and the human oversight or review pattern recommended for production operation. This documentation is designed to be consistent with the principles of SR 11-7 and PRA SS1/23 model risk management for clients who operate under those regimes.

Authentication. All Lazyleaf staff access to client data and systems requires multi-factor authentication. Where the client provides identity (single sign-on via the client's identity provider), we operate exclusively under that identity within the client's environment.

Least privilege. Engineer access is scoped to the minimum required for the task and the duration. Standing administrative access to client environments is avoided; where elevated access is required, it is granted just-in-time and time-bounded.

Access reviews. Access to client engagement workspaces is reviewed at engagement start, at each defined milestone, and at engagement end. Off-boarding of access on engagement close occurs within 24 hours.

Personnel offboarding. When a Lazyleaf staff member leaves the company, all access to all client systems is revoked within 4 hours of termination of employment. Equipment is recovered and wiped per the personnel policy.

Source control. All Lazyleaf-developed code is held in version control. Default git provider is GitHub. We operate within client-provided source control on request.

Code review. All code changes to client deliverables go through pull request review by a second engineer before merge to the engagement's main branch. Reviews check for correctness, security (input validation, secrets handling, dependency safety), and adherence to the engagement's documented architecture decisions.

Environments. Engagements operate with separated development, staging, and production environments where applicable. Production deployments go through the change control process agreed with the client at engagement start.

Secrets management. Secrets (API keys, credentials, certificates) are never committed to source control. Lazyleaf uses 1Password as the primary credential and API-key store at the company level. For engagement-specific infrastructure secrets, AWS Secrets Manager is the default. We operate within client-provided secret stores where the client environment requires it.

Dependencies. Third-party dependencies are pinned to specific versions in production. Dependency vulnerability scanning (Dependabot or equivalent) is operated on Lazyleaf-managed repositories.

Definition of incident. A security incident is any event that causes or has the potential to cause unauthorised disclosure, modification, or loss of client data; unauthorised access to client systems; or a material disruption of a Lazyleaf-delivered service.

Detection. Lazyleaf-managed systems are instrumented with logging and alerting for the events most likely to indicate an incident, scoped to the engagement architecture.

Notification. In the event of a confirmed or suspected incident affecting a client engagement, Lazyleaf notifies the client's named point of contact within 24 hours of detection. The notification includes initial scope, observed impact, and the actions taken or planned.

Investigation and remediation. Lazyleaf maintains an incident log and runs a structured investigation for any confirmed incident. We deliver a written incident report to the affected client within 14 days of incident close.

Accountable person. Bogdan Codreanu, CTO, is the named accountable person for security incidents at Lazyleaf.

Geographic locations. Lazyleaf staff operate from the United Kingdom and the European Union. We do not staff engagements from jurisdictions outside this set without explicit client agreement.

Background checks. All Lazyleaf staff are right-to-work verified at hire, in line with UK employment law. All hires complete two professional reference checks. For engagements that require BPSS or DBS-level clearance, we arrange the appropriate check at engagement start and confirm completion before any access to client systems is granted.

Equipment. Staff use Lazyleaf-issued or approved equipment with full-disk encryption, automatic operating system patching, endpoint protection, and remote-wipe capability.

Training. Staff complete security awareness training annually, including phishing recognition, secrets handling, and incident reporting.

Key person dependency. Lazyleaf engagements are led by a named senior practitioner with a documented secondary contact. In the event the lead is unavailable, the secondary contact assumes responsibility for the engagement within 24 hours.

Continuity posture. Engagement workspaces, source code, and operational documentation are backed up daily and retained for 30 days. Lazyleaf operates a documented continuity plan that ensures client engagements can continue or be cleanly handed over in the event of disruption to a single staff member or system.

SOC 2 Trust Services Criteria. Sections 02 (Data Handling), 04 (Access Control), 05 (SDLC), and 06 (Incident Response) are designed to align with the Security, Availability, Processing Integrity, and Confidentiality principles of the AICPA SOC 2 framework.

ISO/IEC 27001:2022. Our control areas map to Annex A control families, including A.5 (Information security policies), A.6 (Organisation of information security), A.8 (Asset management), A.9 (Access control), A.12 (Operations security), A.14 (System acquisition, development and maintenance), and A.16 (Information security incident management).

UK GDPR. Our data handling, retention, and sub-processor practices are designed to support the lawful basis, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability principles of the UK GDPR. Lazyleaf is registered with the Information Commissioner's Office.

NIST Cybersecurity Framework. The five pillars (Identify, Protect, Detect, Respond, Recover) map to the practices in this document, with strongest coverage in Identify, Protect, and Detect.

Cyber Essentials. Lazyleaf holds active Cyber Essentials certification, covering boundary firewalls, secure configuration, access control, malware protection, and patch management.