Security and resilience are foundational to Entopy’s architecture. Our platform is built to operate within critical infrastructure environments and government programmes, where reliability, data integrity and operational continuity are non-negotiable. This section sets our clearly key aspects but we would encourage anyone who wishes to have further information regarding our protocols, aspects of our design and our approach to security, quality assurance and resilience, to contact info@entopy.com.

Secure by design:

Entopy is designed and engineered in line with UK NCSC Secure by Design principles and aligned to the Cyber Assessment Framework (CAF).

We are Cyber Essentials Plus certified and regularly undergo external security review where required by clients. Our architecture is distributed and modular. Each AI micromodel and data system communicates via secure, authenticated APIs, enabling: (i) Isolation of components in the event of failure; (ii) Rapid revocation of access where required; (iii) Controlled data exchange across systems; (iv) Reduced blast radius in the event of disruption.

Security is built into the system architecture, not layered on afterwards.

Deployment and infrastructure:

Every customer is deployed onto a dedicated, production-ready instance of the Entopy platform.

Each deployment includes Separate development, test and production environments; Full tenant isolation; Secure API integration layer; Controlled access policies.

Deployments are hosted on Amazon Web Services (AWS) as standard, but Entopy is cloud agnostic and can deploy on alternative cloud infrastructure where required by client policy.

Our distributed architecture ensures resilience through component isolation, fault tolerance and the ability to isolate and remediate individual services without impacting the wider system.

Data access & control:

Entopy uses TLS 1.3 encryption over HTTPS for all data in transit, with secure RESTful APIs protected by OAuth2.0. All development follows NCSC Secure by Design principles, aligned to the Cyber Assessment Framework, guaranteeing secure governance, auditability, and risk management. Data is exchanged in open formats (JSON, XML, CSV) via well-documented APIs.

Entopy’s platform enforces strict data segmentation at both infrastructure and application levels. Each customer deployment operates within an isolated environment, with logical and policy-based controls governing access to datasets, services and interfaces. Within deployments, access to data is further controlled through role- and attribute-based permissions to ensure users only access information aligned to their responsibilities. This ensures that commercial sensitive and confidential information can be securely controlled.

In addition to technical segmentation, Entopy applies layered abstraction to protect sensitive operational data. Raw source data remains controlled within secure environments, while derived intelligence outputs, such as aggregated metrics, forecasts, or scenario impacts, can be shared more broadly where appropriate. This approach reduces exposure of sensitive datasets while enabling collaboration, decision-making and cross-organisational coordination.

By separating raw data from decision-grade outputs, Entopy supports both security and operational effectiveness without compromising data integrity or governance requirements.

Data ownership and stewardship:

Entopy is founded on the principle that customers retain ownership and control of their data. Operational and source datasets provided to the platform remain the customer’s asset, and our role is that of a trusted steward, processing and analysing data solely to deliver agreed services and Unified Intelligence.

We design our architecture and governance practices to ensure that data remains under client control, with clear boundaries around access, usage and retention. Derived insights and analytics are generated to support operational decision-making, while respecting the integrity, confidentiality and ownership of underlying data assets.

Business continuity and disaster recovery:

Entopy’s platform is designed to maintain operational continuity under adverse conditions. Automated backups, defined recovery procedures and environment-level isolation ensure that data integrity is protected, and services can be restored rapidly in the event of disruption. Recovery objectives are agreed per deployment, with disaster recovery processes documented, tested and periodically reviewed. Continuous monitoring and alerting enable early detection of anomalies, while structured incident response procedures ensure issues are isolated, remediated and communicated in a controlled and transparent manner.

Regulatory & AI Governance Compliance:

Entopy operates in alignment with applicable UK regulatory and data protection requirements, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where deployments interact with European jurisdictions, we support alignment with the EU AI Act and associated data protection frameworks. Our AI governance approach emphasises transparency, human oversight, risk management and proportionality, reflecting emerging global AI regulatory standards. We work closely with clients to ensure each deployment aligns with their sector-specific regulatory obligations, assurance frameworks and internal governance policies.

Through secure development practices, rigorous quality assurance and continuous improvement, Entopy ensures that every deployment remains robust, auditable and fit for mission-critical decision-making. Security controls, performance monitoring and resilience testing are embedded throughout the platform lifecycle, from design and development to live operations and ongoing enhancement. This disciplined approach ensures that Entopy not only meets current security and resilience requirements, but evolves alongside emerging risks, regulatory expectations and operational demands.