Chat with the founders
Trust & Security

Tenders demand trust.

Your pipeline, tender packs and pricing are commercially sensitive. This page sets out exactly how we protect them, in plain English: stored in the UK, encrypted everywhere, and never used to train AI models.

How we earn it.

No badge-waving. These are the practices built into Jonty from day one, each one verifiable in how the product behaves.

Your data stays yours.

We never use your data to train AI models. We never sell it or share it with marketers, advertisers or data brokers. Your bid intelligence stays private and under your control.

Stored in the UK.

Jonty runs on AWS in London. Your records, tender documents, recordings and backups all live in the UK. The AI that reads tender packs runs in the EU, and our code refuses to run it anywhere else.

Encrypted by default.

Your data is encrypted in transit with TLS and at rest with AES-256. Tender documents go further: each company vault has its own dedicated encryption key, cryptographically separating your documents from everyone else’s.

Isolated by design.

Every query is scoped to your company. For tender documents and credentials, isolation is also enforced by the database itself with row-level security, a second line of defence beneath the application.

Scanned before it’s stored.

Every uploaded document lands in quarantine and is malware-scanned before it enters your workspace. Previews render in our own viewer; we never hand your documents to third-party viewing services.

Locked down by default.

Our internal services accept no public traffic and our databases sit in private subnets. Secrets live in a managed vault, never in code. Card details never touch our servers; Stripe handles payment.

The detail, for your due diligence.

The specifics most security questionnaires ask about, answered up front.

Data residency

  • Our backend, databases and document storage run in the AWS London region (eu-west-2). Your data is stored in the UK.
  • Tender-pack analysis runs on Google Cloud in the EU. The EU region is asserted in code, so it cannot quietly drift to another continent.
  • Dictation audio is transcribed on our own servers inside our private network. It never leaves it.
  • A small number of specialist providers (live voice processing on your onboarding call, AI matching) operate outside the UK. Those transfers are covered by UK International Data Transfer Agreements or EU Standard Contractual Clauses, the providers do not retain or train on your data, and the full picture is in our Privacy Policy.

Encryption

  • TLS on every connection between you and Jonty, and encrypted connections to our databases.
  • AES-256 encryption at rest across databases and document storage.
  • Per-company encryption keys (AWS KMS) for tender documents and credentials, so each company vault is sealed separately.

Access control

  • Every request is scoped to your company, and tender data is additionally protected by row-level security in the database.
  • The Claude connector (MCP) is read-only and secured with OAuth 2.1. You can revoke its access at any time.
  • Production access is limited to the founding team. Secrets live in AWS Secrets Manager, never in code or config files.

Uploads and documents

  • Uploads land in quarantine, are malware-scanned (AWS GuardDuty), and only then promoted into your workspace. Infected files never reach it.
  • Anything that fails or skips scanning is purged automatically.
  • Documents preview in a viewer we bundle and run ourselves. Your documents are never sent to third-party viewing services.

Retention and deletion

  • Onboarding call recordings are deleted automatically after 30 days (see our Recording Policy).
  • Close your account and your data is deleted within 30 days, except records we are legally required to keep.
  • Databases run with deletion protection and automated daily backups.

Payments

  • Checkout happens on Stripe, not on our servers. We store your customer ID, plan and subscription status, never card numbers.

Certifications, honestly.

We do not yet hold ISO 27001 or Cyber Essentials. We are an early-stage company, and rather than wave a badge we have written down exactly what we do. Formal certification will come as we grow. If your due diligence needs more than this page, email us and a founder will answer, usually the same day.

Questions?

Ask us anything.

Security questionnaires, data processing agreements, or anything this page left you wondering about. Email jonty@askjonty.ai and a founder will reply.

Found a vulnerability? Tell us at the same address. We are grateful for responsible disclosure and will respond quickly.

See also our Privacy Policy and Recording Policy.