Back to Blog
Security & ComplianceMarch 20, 20268 min read

Data Residency, Encryption and Access Controls for AI Employees

How managed AI employees handle data residency, encryption at rest and in transit, and role-based access controls to meet UK compliance standards.

Data Residency, Encryption and Access Controls for AI Employees
S

Struan

Managed AI Employees • Business Automation

When you deploy an AI employee into your business, it processes your data — customer records, financial transactions, employee information, commercial correspondence. The security of that data is not optional. It is a legal obligation under UK GDPR, a commercial necessity for client trust, and a reputational imperative.

This article explains how managed AI employees from Struan handle the three pillars of data security: where your data lives, how it is protected, and who can access it.

Data Residency: Where Your Data Lives

Why Data Residency Matters

Data residency refers to the physical and legal jurisdiction where your data is stored and processed. For UK businesses, this matters for several reasons:

  • UK GDPR compliance: Personal data transferred outside the UK must be protected by adequate safeguards. The UK has its own adequacy decisions separate from the EU, and transferring data to jurisdictions without adequacy status requires additional legal mechanisms.
  • Client contracts: Many B2B contracts include data residency clauses requiring that data remains within the UK or EEA.
  • Sector regulations: Financial services, healthcare, legal, and government sectors often have specific data localisation requirements.
  • Practical sovereignty: If your data is stored in a jurisdiction with different legal frameworks, foreign government access requests could apply to your business data.

How Struan Handles Data Residency

All Struan AI employee deployments use UK-based infrastructure by default:

  • Primary data processing occurs in UK data centres (London and Edinburgh regions)
  • Data at rest is stored exclusively within the UK unless you explicitly request otherwise
  • Backup and disaster recovery infrastructure is also UK-based
  • No data is transferred to third-country jurisdictions without your documented consent and appropriate safeguards

For businesses with specific residency requirements — for example, clients in the EU who require EEA residency, or multinational operations with regional data requirements — we configure residency on a per-deployment basis with full documentation.

Encryption: How Your Data Is Protected

Encryption in Transit

Every data transmission between your systems and the AI employee is encrypted using TLS 1.2 or higher. This applies to:

  • API calls between your business applications and the AI employee
  • Data synchronisation with your CRM, accounting platform, or HR system
  • Email and document transfers processed by the AI employee
  • Internal communication between AI employee components

TLS encryption ensures that data cannot be intercepted or read during transmission, even if network traffic is captured.

Encryption at Rest

All data stored by the AI employee is encrypted at rest using AES-256 encryption — the same standard used by banks and government agencies:

  • Database encryption: All structured data (customer records, transaction logs, configuration data) is encrypted at the storage level using AES-256.
  • File encryption: Documents, invoices, CVs, and other files processed by the AI employee are encrypted before storage.
  • Backup encryption: All backups are encrypted with separate keys from primary storage, ensuring that a compromised backup cannot expose live data.
  • Key management: Encryption keys are managed through a dedicated key management service with automatic rotation. Keys are stored separately from the data they protect.

End-to-End Encryption for Sensitive Workflows

For particularly sensitive data — payroll information, health records, legal documents — we offer end-to-end encryption where data is encrypted at your premises and only decrypted within the secure processing environment. This means even Struan infrastructure administrators cannot access the plaintext data.

Access Controls: Who Can Reach Your Data

The Principle of Least Privilege

Every AI employee deployment follows the principle of least privilege: the AI employee only has access to the specific data and systems it needs to perform its defined role. Nothing more.

This is implemented through multiple layers:

  1. Application-level permissions: When the AI employee connects to your CRM, accounting platform, or HR system, it is granted specific API scopes. A finance AI employee connected to Xero, for example, might have read/write access to invoices and bank reconciliation but no access to payroll or user administration.
  2. Data-level filtering: Within permitted systems, the AI employee can be restricted to specific data subsets. For example, a customer support AI employee might only access tickets from a specific queue or product line.
  3. Action-level controls: The AI employee’s permitted actions are explicitly defined. It might be authorised to create invoices but not approve payments, or to draft email responses but not send them without human approval.
  4. Time-based access: For sensitive operations, access can be restricted to business hours or specific time windows.

Role-Based Access Control (RBAC)

Access to the AI employee’s management interface and audit logs is controlled through role-based access:

  • Administrator: Full access to configuration, monitoring, and audit logs. Typically limited to your IT lead or operations manager.
  • Manager: Access to performance dashboards, exception queues, and workflow configuration. For the team that oversees the AI employee’s work.
  • Viewer: Read-only access to dashboards and reports. For stakeholders who need visibility without control.
  • Auditor: Access to audit logs and compliance reports without access to operational data. For internal audit or compliance teams.

Multi-Factor Authentication

All human access to AI employee management systems requires multi-factor authentication (MFA). We support:

  • Time-based one-time passwords (TOTP) via authenticator apps
  • Hardware security keys (FIDO2/WebAuthn)
  • Integration with your existing identity provider (Azure AD, Okta, Google Workspace) via SAML or OIDC

Audit Trails and Monitoring

Comprehensive Logging

Every action taken by the AI employee is logged with:

  • Timestamp (UTC)
  • Action type (read, create, update, delete)
  • Data objects accessed or modified
  • Source system and destination system
  • Outcome (success, failure, exception)

Logs are immutable — they cannot be modified or deleted, even by administrators. They are retained for a minimum of 12 months and can be extended to meet your compliance requirements.

Real-Time Monitoring and Alerting

Automated monitoring watches for security-relevant events:

  • Unusual access patterns (e.g., accessing data outside normal processing hours)
  • Failed authentication attempts
  • Changes to access permissions or configuration
  • Data volume anomalies (e.g., unusually large data exports)
  • Integration errors that might indicate compromised connections

Alerts are sent to your designated security contact via email, Slack, or Microsoft Teams within minutes of detection.

Compliance Certifications and Standards

Struan’s infrastructure and processes align with recognised security standards:

  • ISO 27001: Information security management system covering all aspects of data handling
  • Cyber Essentials Plus: UK government-backed certification for cyber security fundamentals
  • SOC 2 Type II: Independent verification of security, availability, and confidentiality controls
  • UK GDPR: Full compliance with data protection principles, including data minimisation, purpose limitation, and data subject rights

We provide a detailed security pack on request, including our data processing agreement, sub-processor list, and technical security measures documentation.

Incident Response

In the event of a security incident, Struan’s incident response process includes:

  1. Detection: Automated monitoring identifies the incident and triggers the response team.
  2. Containment: Affected systems are isolated to prevent further exposure.
  3. Notification: You are notified within 24 hours of confirmed incidents, well within the 72-hour UK GDPR requirement. For high-severity incidents, notification is immediate.
  4. Investigation: Root cause analysis determines what happened, what data was affected, and how to prevent recurrence.
  5. Remediation: Fixes are implemented and verified. A full incident report is provided to you.

Practical Steps for Your Business

When evaluating any AI employee provider’s security posture, ask these questions:

  1. Where is my data stored, and can you guarantee UK residency?
  2. What encryption standards do you use for data in transit and at rest?
  3. How are encryption keys managed and rotated?
  4. What access does the AI employee have, and how is it restricted?
  5. Who on your team can access my data, and under what circumstances?
  6. How are access logs maintained, and can I audit them?
  7. What certifications do you hold, and when were they last audited?
  8. What is your incident response process and notification timeline?

Struan provides clear, documented answers to every one of these questions before deployment begins.

Learn more about Struan’s security and compliance framework — or request our full security documentation pack.