Trust & data privacy
Built for teams with trade secrets to protect
A lot of my work is for organisations that can't let their code or data leave the building. The default posture here is to keep sensitive things inside your boundary — and to prove it to your security team.
Your data stays in your boundary
Vector databases, embeddings and retrieval can run entirely inside your VPC or on-prem, with private endpoints and your own encryption keys — nothing shipped to a third-party API by default.
Claude Code that can't leak code
Claude Code via Amazon Bedrock with VPC endpoints keeps prompts and code on a private network path inside your AWS account — no public egress, IAM-scoped, and no training on your code under Commercial/Enterprise terms.
Self-hosted where it matters
Self-hosted embeddings (a TEI sidecar) keep retrieval inside your network, so sensitive documents and data are processed without leaving your infrastructure — and it's faster, too.
Governance built in
Protected branches, CI/CD approval gates, per-tenant access control, and a clear RACI for who owns review and release — so AI-generated code and AI-served answers pass the same controls as everything else.
Enterprise Claude Code & data privacy
Does Anthropic train on the code we send through Claude Code?
No — not on Commercial/Enterprise terms, and not via the API or Amazon Bedrock. I'll show your security team the exact contractual and technical settings that guarantee it, which is the difference between the enterprise tier and the consumer plan they're worried about.
Can we run Claude Code so our code never leaves our cloud?
Yes — Claude Code via Amazon Bedrock with VPC endpoints keeps prompts and code on a private network path inside your AWS account boundary, with IAM-scoped access and no public internet egress. Initial deployment is roughly a few hours of admin work, not a multi-month project.
Who owns review and release once AI is writing code?
Humans keep the gates. I set up protected branches, CI/CD approval gates and a clear RACI — who owns repo risk tiers, review gates and release approvals — so AI-generated code still passes through the same controls as anything else.
Trust, process & timelines
How do you handle our trade secrets and sensitive data?
Default to keeping data inside your boundary: VPC/on-prem deployments, no-training terms, private endpoints, and protected-branch workflows. The whole point of the Bedrock/VPC and self-hosted-embedding patterns is that sensitive code and documents never leave your control.
What are typical timelines?
An audit is ~2 weeks, a PoC sprint 2–4 weeks, and a RAG or computer-vision build 4–8 weeks depending on scope. Every fixed quote is anchored to a locked scope and a short discovery step — scope creep is what blows fixed prices.
What happens after launch?
You get the system, the eval harness and the documentation to run it. I can stay on as a fractional architect for ongoing direction and reviews, or hand over cleanly — your choice, not a lock-in.
Need the security story in writing?
Book a 15-minute call and I'll walk your security team through the deployment pattern.