Always On IT
Start support

Security & data

Built for businesses that read the small print.

An AI service handling IT for UK SMEs has to take security seriously. Here is exactly how we handle your data, your credentials, and your trust.

Principle

UK data residency

Tickets, logs and embeddings are stored in UK regions on AWS London (eu-west-2). Backups stay within the UK.

Principle

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Per-tenant encryption keys, rotated quarterly.

Principle

Zero standing access

We hold no admin credentials for your systems. Each action requests a short-lived, scoped token, used once, then revoked.

Principle

Model isolation

Your prompts and ticket data are never used to train a model. Inference runs against your tenant only, with strict context boundaries.

Principle

Immutable audit log

Every prompt, tool call, and credential use is written to a tamper-evident log you can export at any time.

Principle

Approvals for risky actions

Mass changes, deletions, and off-boarding require an in-band approval from a named admin on your side before they execute.

Compliance posture

Aligned, not certified — and we say so.

We design to UK GDPR, the NCSC Cyber Assessment Framework, and the Cyber Essentials control set. We are working through formal certification and will publish dated evidence on this page as it lands. We will not claim certifications we don't hold.

UK GDPR
Aligned
Cyber Essentials
In progress · Q3 26
ISO 27001
Roadmap · 2027

Sub-processors

We use a small set of vetted sub-processors: AWS (UK), Anthropic & OpenAI (with zero data-retention agreements), Stripe (payments), and Postmark (transactional email). The full list, with locations and purposes, is in our DPA.

Trust & safety

How the agent decides what to do.

The service is built around a small number of safety rules that apply to every conversation. They define what the agent will attempt, what it will decline, and how it behaves when an outcome is uncertain.

Refuses unsafe actions

Requests that are unsafe, irreversible at scale, or capable of causing data loss are declined. This includes tenant-wide deletions, backup destruction, encryption key changes, and live ransomware response. The agent states the reason and stops.

Safe, repeatable work only

The agent works from a fixed set of tested procedures. The same issue is resolved the same way every time, against supported platforms, with each step logged. Anything outside that set is treated as out of scope rather than improvised.

Certainty before speed

When a diagnosis is ambiguous, the agent gathers more information before acting. Speed is a feature of the service, not a target that overrides safety. If certainty cannot be reached, the agent says so plainly rather than guessing.

In practice — every action is preceded by a stated intent, runs against a short-lived scoped credential, and is followed by a verification step. If verification fails, the change is reverted and the conversation continues with what is known. Nothing is left in an unverified state.

Security

Frequently asked questions

How do you protect user accounts?

AlwaysOnIT uses modern, industry-standard security practices to protect accounts, including secure authentication, email verification, and access controls.

Do users need to verify their email address?

Yes. All users must verify their email address before gaining access. This prevents the use of fake or unauthorised accounts.

Is multi-factor authentication (MFA) supported?

Yes. Users can optionally enable multi-factor authentication to add an extra layer of protection to their account.

What happens if someone tries to guess my password?

Login attempts are rate-limited. After multiple failed attempts, the account is temporarily locked as a security precaution.

Do you protect against automated or bot attacks?

Yes. CAPTCHA protection is used during sign-up, login attempts after repeated failures, and password reset requests to prevent automated attacks.

How are passwords reset?

Password resets are handled securely via email. AlwaysOnIT does not reset passwords manually and cannot access user passwords.

Can AlwaysOnIT staff access my account?

No. AlwaysOnIT does not access user accounts or user data. Access is controlled entirely by each company's administrators.

Is payment information stored securely?

Yes. Payment details are handled by trusted third-party payment providers. AlwaysOnIT does not store card or PayPal details directly.

Get started

Open a chat. The AI picks up before the second ring — every time.

No onboarding calls. No sales process. Connect your devices and start raising tickets in under ten minutes.

Start support →See pricing