Regulatory Compliance
Compliance Summary
For investors, regulators, and due diligence — CourtCraft Advocate Ltd
ICO Registration No. ZB812547 | Last updated: May 2026
Executive Compliance Summary
CourtCraft Advocate Ltd — UK GDPR & Regulatory Compliance Status
ZB812547
ICO Registration
Verified
Active
DASH Safety Gate
40+ patterns
4 of 6
Data Subjects Rights
Implemented
0 of 7
Processor DPAs
Executed (pending)
⚠️ Pre-Launch Requirements
The following items must be completed before full commercial launch to ensure UK GDPR compliance:
Appoint a qualified Data Protection Officer (DPO)
CriticalExecute Article 28 DPA with Supabase Inc.
CriticalExecute Article 28 DPA with Anthropic PBC
CriticalExecute Article 28 DPA with OpenAI LLC
CriticalExecute Article 28 DPA with Stripe Inc.
HighExecute Article 28 DPA with Resend Inc.
HighExecute Article 28 DPA with Perplexity AI
HighExecute Article 28 DPA with Calendly LLC
HighComplete Records of Processing Activities (RoPA) under Article 30
HighImplement Right to Restriction (Article 18) workflow
MediumImplement Right to Object (Article 21) workflow
MediumDPO review and sign-off of DPIA
CriticalICO Registration
2/3 completeData Protection Officer
In ProgressDPO appointment in progress — required before full commercial launch
ICO Sandbox Engagement
CompleteICO Regulatory Sandbox referenced (not SRA — CourtCraft is not a regulated legal firm)
UK GDPR Documentation
5/5 completeLegitimate Interests Assessment
CompleteLIA completed for all Article 6(1)(f) processing activities
View →Article 33 Breach Notification Procedure
Complete72-hour ICO notification workflow and internal incident log implemented
View →Records of Processing Activities (RoPA)
CompleteFull Article 30 RoPA published — 10 processing activities documented with legal basis, data categories, retention periods, and third-party processors
View →Data Subject Rights
6/6 completeRight of Access (Article 15)
CompleteFull data export (JSON) available via GDPR Compliance Centre in dashboard
Right to Erasure (Article 17)
CompleteAccount deletion request workflow implemented with 30-day processing SLA
Right to Data Portability (Article 20)
CompleteMachine-readable JSON export of all user data available on demand
Right to Rectification (Article 16)
CompleteProfile data correction available via GDPR Compliance Centre
Right to Restriction (Article 18)
CompleteArticle 18 restriction request workflow implemented in GDPR Compliance Centre — users can submit restriction requests with reason; logged to gdpr_requests table; email confirmation sent
Right to Object (Article 21)
CompleteArticle 21 objection workflow implemented in GDPR Compliance Centre — users can object to legitimate interest processing and direct marketing; grounds selection and reason required; logged and email confirmation sent
Special Category Data
4/4 completeArticle 9 Explicit Consent Modal
CompleteShown to all new users before any special category data is processed
DASH Domestic Abuse Safety Gate
CompleteDeterministic (non-AI) gate with 40+ patterns; CRITICAL tier blocks AI and shows non-dismissible crisis modal with NSPCC (0808 800 5000) and Samaritans (116 123)
DASH Audit Log
CompleteAnonymised DASH screening events logged for regulatory compliance
Special Category Data Encryption
CompleteAll data encrypted at rest (AES-256) and in transit (TLS 1.3) via Supabase
Processor Agreements (Art. 28)
0/7 completeSupabase Inc. — DPA
In ProgressDPA available at supabase.com/dpa — must be executed before full launch
View →Anthropic PBC — DPA
In ProgressData Processing Addendum available — must be executed before full launch
View →OpenAI LLC — DPA
In ProgressData Processing Addendum available — must be executed before full launch
View →Resend Inc. — DPA
In ProgressDPA required for transactional email processing
Perplexity AI — DPA + PII Stripping
In ProgressNo Article 28 DPA executed. PII-stripping implemented as interim measure — all personal data stripped before Perplexity API calls. DPA required before full launch.
AI Governance
8/8 completeAI Disclaimer & Limitations
CompleteClear AI disclaimers on all AI-generated content; mandatory human review before court submission
No Automated Decision-Making
CompleteNo Article 22 automated decisions with legal effect — all AI output requires human review
AI Safety Institute Clarification
CompletePlatform correctly identifies ICO (not AISI) as the relevant regulator
Embedding Model (voyage-3.5)
Completevoyage-3.5 configured as active embedding model; pgvector storage implemented
Court of Protection Hard Block
CompleteAI agent hard-coded to refuse Court of Protection / MCA 2005 matters and display Official Solicitor referral
Public Law PLO Detection + Legal Aid Gate
CompleteAI agent detects care proceedings / PLO triggers and displays mandatory legal aid gate before any guidance
BAILII Unreported Cases Disclosure
CompleteMandatory disclosure added to all AI responses citing case law: results represent reported principles only — the majority of family court decisions are never published
Perplexity PII Stripping
CompletePII-stripping function implemented in legal-research API route — removes names, postcodes, phone numbers, email addresses, case references, NI numbers, and addresses before every Perplexity call
Legal Compliance
5/5 completeMcKenzie Friend Guidance Accuracy
CompleteCorrected per McKenzie v McKenzie [1970]; Legal Services Act 2007 boundaries accurate
SRA Sandbox References Removed
CompleteAll SRA sandbox references removed — CourtCraft is not a regulated legal firm
ICO Registration Displayed
CompleteZB812547 displayed in Privacy Policy, DPIA, consent modal, and GDPR widget
Terms of Service
CompleteUK-law governed terms with accurate McKenzie Friend and liability provisions
View →Non-Restoration Principle Warning
CompleteOnboarding Step 1 now displays mandatory warning that consumer AI use constitutes irreversible confidentiality breach that cannot be restored by any subsequent DPA
External Legal Actions Required
0/8 completeVoyage AI — IDTA / Article 46 Transfer Mechanism
PendingREQUIRED BEFORE LAUNCH: Voyage AI has no EU/UK region. An International Data Transfer Agreement (IDTA) is required under Article 46 UK GDPR for special category data. Resolution options: (1) Execute IDTA with Voyage AI; (2) Route via Azure UK South deployment; (3) Self-host on AWS eu-west-2. Current direct API call to api.voyageai.com is an Article 46 violation for special category data.
Anthropic PBC — IDTA + UK-US Data Bridge Trigger Clause
PendingREQUIRED BEFORE LAUNCH: Anthropic API is used directly (not via AWS Bedrock). An IDTA is required with 4 non-standard terms including an automatic trigger clause for UK-US Data Bridge suspension. Anthropic Schedule B.3 special category amendment required. Estimated cost: £2,000–£4,000 legal fees. Alternative: migrate to AWS Bedrock eu-west-2.
Tiered Data Architecture Enforcement
PendingARCHITECTURAL REQUIREMENT: Report mandates Tier 1 (divorce/financial remedy) via AWS Bedrock eu-west-2 only; Tier 2 (child arrangements) with human review gate; Tier 3 (domestic abuse/PD12J/CAFCASS) via Mac Studio M4 Max local processing ONLY — never cloud API. Currently all AI requests route through the same API regardless of data sensitivity. Tier 3 prohibition is architecturally violated for DASH-flagged cases.
Supabase Region Confirmation (eu-west-2)
PendingIRREVERSIBLE DECISION: Supabase region must be confirmed as eu-west-2 (London) before first production client data. This decision cannot be changed after data is stored. Confirm region in Supabase dashboard and document as Gate Evidence G1. No confirmation on record.
Professional Indemnity & Cyber Insurance
PendingREQUIRED BEFORE PHASE 2 (first production client data): E&O (Errors & Omissions) and Cyber Liability insurance must be bound. Recommended brokers: Insure24, Lockton. This is a hard gate before accepting paying clients with live case data.
LSA 2007 Written Legal Opinion
PendingREQUIRED BEFORE LAUNCH: A written legal opinion from a qualified solicitor confirming CourtCraft's activities are non-reserved under the Legal Services Act 2007. Estimated cost: £3,500. This opinion is required for investor due diligence and regulatory credibility. Not yet commissioned.
TNA Computational Analysis Licence
PendingREQUIRED BEFORE RAG CORPUS CONSTRUCTION: A licence from The National Archives (TNA) is required before using the TNA Find Case Law API for RAG corpus construction. BAILII Terms of Service prohibit bulk downloading. No TNA licence has been applied for.
Phase 0 Kill-Switch Test (Gate Evidence G11)
PendingREQUIRED BEFORE LAUNCH: Documented Phase 0 kill-switch test comparing voyage-3.5 vs voyage-law-2 vs Qwen3 8B on 3 UK family court documents with 30 queries. Results must be logged as Gate Evidence G11. No test has been conducted or documented.
Regulatory Contacts
Data Controller
CourtCraft Advocate Ltd
ICO Reg. ZB812547
Privacy Contact
privacy@courtcraftadvocate.com
Data subject rights requests
ICO Supervisory Authority
Information Commissioner's Office
ico.org.uk | 0303 123 1113
ICO Breach Portal
ico.org.uk/for-organisations/report-a-breach/
72-hour notification window