Compliance
Trust Center
Horaizon Ltd acts as a data processor when building and operating AI systems on behalf of our clients. This page summarises how we handle personal data, the safeguards we apply, and the rights available to data subjects.
We process business contact data, query and prompt content, conversation logs, and documents fed into client AI systems — solely to deliver the services specified in each client engagement. Data is never sold or used outside the agreed scope.
Protection
Security measures
Encryption
TLS 1.2+ for all data in transit; AES-256 for data at rest across all storage layers.
Access controls
Role-based access control (RBAC) and multi-factor authentication (MFA) enforced on all production systems.
Backups
Daily encrypted backups with documented recovery procedures and regular restoration tests.
Secure development
Security reviews built into our SDLC, automated dependency scanning, and annual penetration testing.
Third parties
Approved sub-processors
We engage the following sub-processors under binding data processing agreements. Transfers outside the UK/EU are covered by Standard Contractual Clauses (SCCs).
| Sub-processor | Purpose | Location |
|---|---|---|
| Qdrant | Vector database (RAG storage) | EU |
| Amazon Web Services | Cloud hosting & compute | UK / EU |
| Microsoft Azure | Cloud hosting & compute | EU |
| Mistral AI | LLM inference | EU |
Your rights
Data subject rights
Where Horaizon processes data under a client's instruction, rights requests should be directed to that client (the controller). We assist controllers in fulfilling verified requests within 72 hours.
Access & portability
Request a copy of personal data we hold or have processed on your behalf.
Rectification & erasure
Request correction or deletion of inaccurate or no-longer-necessary data.
Restriction
Request that we pause processing while a dispute is resolved.
Incidents
Breach notification
In the event of a personal data breach, we will notify the relevant controller within 36 hours of becoming aware, in accordance with UK GDPR Article 33. Notification will include the nature of the breach, categories and approximate number of data subjects affected, and recommended remediation steps.
Need a Data Processing Agreement?
We provide a signed DPA to all clients on request. Get in touch and we'll turn it around promptly.