Trust Centre

Data minimisation. We only collect and process the personal and business data needed to deliver our services. We don’t ask for information we don’t need, and we don’t keep it longer than necessary.

Access controls. Access to client data within our own tools and systems is role-based and reviewed regularly. Only the people who need access to your information have it.

Device security. All devices used by Eden Metrics personnel are protected by up-to-date operating systems, encryption, and endpoint security software.

Incident response. In the unlikely event of a security incident affecting your data, we will notify you promptly and work transparently with you to resolve it. We maintain a clear internal incident response procedure for this purpose.

monday.com Security Credentials

monday.com is one of the world’s most security-mature SaaS platforms, trusted by more than 245,000 organisations globally. When your data lives in monday.com, it is protected by enterprise-grade infrastructure.

Key security standards and certifications:

• ISO/IEC 27001:2022 – Information security management
• ISO/IEC 27017:2015 – Cloud security controls
• ISO/IEC 27018:2019 – Protection of personal data in the cloud
• ISO/IEC 27032:2023 – Cybersecurity
• ISO/IEC 27701:2019 – Privacy information management
• SOC 1 Type II, SOC 2 Type II, and SOC 3 – Independent audit of security controls
• CSA STAR – Cloud Security Alliance certification
• 99.99% uptime SLA – Enterprise-grade reliability
• All data is encrypted at rest and in transit

View monday.com’s full Trust Center

make.com Security Credentials

Make.com (formerly Integromat) is the automation platform we use to build the intelligent workflows that connect your tools and processes. Security is built into the platform architecture.

Key security standards and certifications:

• ISO/IEC 27001 – Information security management
• All data is encrypted at rest and in transit
• Role-based access controls within workspaces and scenarios
• Regular third-party penetration testing

View Make.com’s security documentation

UK GDPR. As a UK-registered business processing personal data, we comply fully with the UK General Data Protection Regulation and the Data Protection Act 2018. We act as a data processor on behalf of clients where applicable, and as a data controller for data we collect directly (such as enquiry and contact data).

Data Processing Agreements. If your organisation requires a formal Data Processing Agreement (DPA) as part of your supplier onboarding process, we are happy to provide one. Please get in touch to request this.

Sub-processors. We use a small number of carefully selected sub-processors to deliver our services, including monday.com, Make.com, and Zoho Sign. We ensure that each sub-processor operates to appropriate data protection standards.

Contracts. All client engagements are covered by a written service agreement, structured for legal clarity under the laws of England and Wales.

monday.com Compliance

monday.com maintains an extensive compliance programme covering the major international and regional frameworks.

Privacy regulations:

• UK GDPR and EU GDPR compliant
• CCPA (California Consumer Privacy Act) compliant
• HIPAA – Business Associate Agreement available for qualifying organisations
• Canada’s PIPEDA compliant
• Brazil’s LGPD compliant
• EU-US Data Privacy Framework participant

Audit reports:

• SOC 1 Type II, SOC 2 Type II, and SOC 3 reports available on request via monday.com’s compliance hub
• DORA (Digital Operational Resilience Act) resources available for EU financial sector clients

Access monday.com’s Compliance Hub

make.com Compliance

EU GDPR compliant – with Data Processing Agreement available

Data residency options – EU-based data processing is available for organisations that require data to remain within the European Economic Area

GDPR-compliant sub-processor agreements in place with all platform partners

View Make.com’s GDPR documentation

We believe privacy is a matter of respect, not just regulation. Here is a straightforward account of how we handle personal data.

What we collect. We collect contact information provided through our website, discovery calls, and client onboarding processes. This includes names, email addresses, job titles, and business details. Where we are engaged to deliver services using your business systems, we may process additional data as defined in our service agreement.

Why we collect it. We use your data to deliver our services, communicate with you about your engagement, send relevant updates and insights (with your consent), and fulfil our legal and contractual obligations.

How long we keep it. We retain client data for the duration of the engagement and for a reasonable period thereafter, in line with our legal obligations and legitimate business interests. Contact and marketing data is kept only while you remain an active contact or subscriber.

Your rights. As a data subject under UK GDPR, you have the right to access, correct, delete, or port your personal data. You can exercise any of these rights by contacting us.

Third-party processors. Your data may be processed by monday.com and Make.com as part of service delivery. Both operate to the standards described in the Compliance section above. A full list of our sub-processors is available on request.

Read our full Privacy Policy

AI is moving fast. The questions clients ask us most often are not “can AI do this?” but “should it?” and “what happens to our data when it does?” These are exactly the right questions. Here is where we stand.

Human judgement stays in the loop. We use AI tools to make our consultants sharper, faster, and more informed. We do not use AI to replace professional judgement on client decisions. Every recommendation we make is reviewed and owned by a human.

Your data is not training data. We do not feed client data, client system configurations, or client business information into AI training pipelines – our own or anyone else’s. Full stop.

Transparency by default. If AI has been used in the production of a deliverable – whether that’s a workflow design, a document, or a strategic recommendation – we will tell you. You have a right to know.

Responsible automation design. When we build automation scenarios for clients using Make.com or monday.com’s AI features, we apply a data minimisation principle: automations are designed to access only the data they genuinely need to function. We do not build workflows that aggregate or expose sensitive data unnecessarily.

Continuous review. The AI landscape is evolving rapidly. We review our own AI usage practices regularly and update our approach as standards and guidance develop, including guidance from the ICO (Information Commissioner’s Office) on AI and data protection.

monday.com AI Governance

monday.com has published a dedicated AI Trust Center outlining their principles and controls for AI features across the platform.

Key commitments from monday.com on AI:

• AI features are opt-in – they are not activated without user or administrator consent
• Customer data is not used to train third-party AI models
• Enterprise-grade governance controls are available for organisations with stricter AI policies
• monday.com’s AI features operate within the same security and compliance framework as the rest of the platform

View monday.com’s AI Trust Center

make.com AI Governance

Make.com supports integrations with a wide range of AI services, including OpenAI, Anthropic (Claude), and others. When we build AI-powered scenarios for clients, the data that flows through those integrations is governed by:

• The permissions and data scopes we configure within the scenario – which we design with data minimisation in mind
• Make.com’s own data processing standards (ISO 27001 certified)
• The data processing terms of the specific AI provider used

We will always discuss the data implications of any AI integration with you before it is built or activated.