Talk to us

Legal · last updated 18 May 2026

AI policy.

We build AI into client systems for a living. This page describes how we use AI in our own delivery work, the human-oversight guardrails that apply to every output, and how we handle client data when AI tooling is involved.

1. Where we use AI

We use AI to assist with tasks across our delivery practice: code generation, integration design suggestions, documentation, support triage, data-mapping recommendations and internal productivity. AI augments the engineering team; it does not replace the engineering decision-making. Every output is reviewed by a qualified engineer before it reaches a client environment.

Our own product, PatchBuddy, is an AI agent that operates on Patchworks tenants. It runs under the same oversight rules described here when deployed against client work: an engineer approves the plan before it executes, and every action is logged.

2. Human oversight

No AI-generated code, configuration or advice is deployed to a client system without human review. An engineer is accountable for every change made on behalf of a client, regardless of which tools produced it. AI output is treated as a draft, not a deliverable.

For agentic deployments (including PatchBuddy), the agent surfaces decisions for human approval at every meaningful execution step. Read-only actions can run autonomously; anything that mutates a system requires explicit operator sign-off.

3. Client data and privacy

We do not submit client production data, credentials or personally identifiable information (PII) into public AI tools. Where AI assistance is genuinely required on client-related material, we use enterprise-grade providers with data-processing agreements that prohibit training on submitted inputs.

For features in our products that involve AI processing of customer data, we document the AI step clearly, name the provider, and surface it to the operator at the point of use. PatchBuddy replaces PII with locale-coherent fakes before any external inference call by default; the merchant can additionally select EU-hosted models on a per-turn basis where regulatory posture requires it.

4. Security

AI tools used internally and in client engagements are vetted against the same security criteria we apply elsewhere in our development environment: data residency, encryption in transit and at rest, access controls, audit logging and vendor-side compliance posture. Access is limited to authorised team members.

Where an engagement has bespoke security requirements (regulated industries, high-sensitivity data), we agree the AI toolchain explicitly at scoping rather than defaulting to the tools we use for general work.

5. Transparency

Clients can ask about AI involvement in any specific deliverable. We will tell you which tools were used, at what point in the work, and what an engineer reviewed before the output reached your environment. This is part of the audit trail we maintain on every engagement.

6. Continuous review

The AI tools and the policy that governs them are reviewed regularly. Where the model landscape, the regulatory landscape or the threat landscape moves, we update our posture and update this page. The date at the top of the policy reflects the most recent review.

7. Contact

Questions about how we use AI on your engagement, or about this policy generally, should be directed to [email protected] or via the contact page.

See also: privacy policy, cookie policy, terms of agreement.

Get in touch

Tell us what you’re trying to connect.

And what’s in the way. We will tell you whether we are the right people to do it. Drop us a line below, or open the chat in the corner of the screen.

Direct: [email protected]