Information Security, Governance & Ethics

Telali Ltd implements industry-standard security safeguards and governance frameworks, ensuring that citizen records, donor details, and proprietary codebases remain completely protected.

1. Information Security Controls

We align our operations with ISO/IEC 27001 controls. Our security model includes:

Access Control: Strict Multi-Factor Authentication (MFA) on all developer consoles, domain registries, and repository settings.
Data Encryption: All sensitive configurations and API secrets are encrypted using robust KMS keys or stored in secure vaults (Azure Key Vault, GCP Secret Manager).
Code Quality & Vulnerability Scans: Continuous deployment pipelines run static code analysis and automated dependency auditing (npm audit, Snyk) to block vulnerabilities.

2. Data Protection Controls (GDPR)

We operate under the UK Data Protection Act 2018. We strictly limit personal data processing:

Data Minimization: We do not log client database PII within our support logs.
Hosting Boundaries: All cloud hosting and backups are configured within UK or EU data centers by default.
Retention Schedules: System telemetry logs are scrubbed and cycled every 30 days automatically.

3. AI Governance & Ethical Principles

As we build Generative AI and Retrieval-Augmented Generation (RAG) platforms, we strictly enforce ethical guidelines:

No LLM Training on Private Data

All enterprise API contracts opt-out of sharing customer documents with AI vendors for model optimization.

Source Traceability & Explainability

RAG applications display source citations for generated answers, allowing human auditors to verify claims.

Human-in-the-Loop Reviews

Critical automated actions (such as email dispatch or payment triggering) always require explicit human approval.

Local/Private Host Options

We configure local open-weight models (Llama.cpp) on-premises for legal, charity, or public sectors needing 100% data confinement.

4. Incident Management Process

Our security incident response protocol is structured into three direct phases:

Phase 1: Detection & Triage

Continuous SRE logging flags anomalies. High-priority errors trigger SMS/Teams alerts to the Principal Architect instantly.

Phase 2: Containment & Remediation

Deploy hotfixes or roll back code via automated deployment pipelines. Isolate affected sub-services if necessary to prevent lateral access.

Phase 3: Post-Mortem & HMRC/GDPR Reporting

In the event of a personal data breach, we commit to notifying the relevant client organization and the ICO within 72 hours.

5. Business Continuity & Disaster Recovery

We minimize business disruption by ensuring that all codebases, architecture configurations, and secrets are stored in redundant, version-controlled remote systems:

Infrastructure as Code: Since all server topologies are defined via Terraform, we can rebuild the entire cloud environment in an alternate region in less than 4 hours.
Redundant Backups: Database instances are configured with automated daily snapshots, Multi-AZ replication, and point-in-time recovery.
Outage Resiliency: Static sites are hosted globally on Cloudflare edge networks, ensuring 99.99% availability even during regional server failures.

Security Contact

To report security vulnerabilities, request security compliance documentation, or inquire about data audits, please reach out to our security officer:

Ahmed Patel

Principal Systems Architect & Information Security Lead

Email:

Phone: