Regulatory Compliance

Compliance Summary

For investors, regulators, and due diligence — CourtCraft Advocate Ltd

ICO Registration No. ZB812547  |  Last updated: May 2026

Executive Compliance Summary

CourtCraft Advocate Ltd — UK GDPR & Regulatory Compliance Status

Overall Compliance Progress65%
30 Complete8 In Progress8 Pending

ZB812547

ICO Registration

Verified

Active

DASH Safety Gate

40+ patterns

4 of 6

Data Subjects Rights

Implemented

0 of 7

Processor DPAs

Executed (pending)

⚠️ Pre-Launch Requirements

The following items must be completed before full commercial launch to ensure UK GDPR compliance:

Appoint a qualified Data Protection Officer (DPO)

Critical

Execute Article 28 DPA with Supabase Inc.

Critical

Execute Article 28 DPA with Anthropic PBC

Critical

Execute Article 28 DPA with OpenAI LLC

Critical

Execute Article 28 DPA with Stripe Inc.

High

Execute Article 28 DPA with Resend Inc.

High

Execute Article 28 DPA with Perplexity AI

High

Execute Article 28 DPA with Calendly LLC

High

Complete Records of Processing Activities (RoPA) under Article 30

High

Implement Right to Restriction (Article 18) workflow

Medium

Implement Right to Object (Article 21) workflow

Medium

DPO review and sign-off of DPIA

Critical

ICO Registration

2/3 complete

Data Controller Registration

Complete

Registered with ICO under ZB812547

View →

Data Protection Officer

In Progress

DPO appointment in progress — required before full commercial launch

ICO Sandbox Engagement

Complete

ICO Regulatory Sandbox referenced (not SRA — CourtCraft is not a regulated legal firm)

UK GDPR Documentation

5/5 complete

Privacy Policy

Complete

Full UK GDPR-compliant privacy policy published

View →

DPIA (Article 35)

Complete

Data Protection Impact Assessment published and linked from footer

View →

Legitimate Interests Assessment

Complete

LIA completed for all Article 6(1)(f) processing activities

View →

Article 33 Breach Notification Procedure

Complete

72-hour ICO notification workflow and internal incident log implemented

View →

Records of Processing Activities (RoPA)

Complete

Full Article 30 RoPA published — 10 processing activities documented with legal basis, data categories, retention periods, and third-party processors

View →

Data Subject Rights

6/6 complete

Right of Access (Article 15)

Complete

Full data export (JSON) available via GDPR Compliance Centre in dashboard

Right to Erasure (Article 17)

Complete

Account deletion request workflow implemented with 30-day processing SLA

Right to Data Portability (Article 20)

Complete

Machine-readable JSON export of all user data available on demand

Right to Rectification (Article 16)

Complete

Profile data correction available via GDPR Compliance Centre

Right to Restriction (Article 18)

Complete

Article 18 restriction request workflow implemented in GDPR Compliance Centre — users can submit restriction requests with reason; logged to gdpr_requests table; email confirmation sent

Right to Object (Article 21)

Complete

Article 21 objection workflow implemented in GDPR Compliance Centre — users can object to legitimate interest processing and direct marketing; grounds selection and reason required; logged and email confirmation sent

Special Category Data

4/4 complete

Article 9 Explicit Consent Modal

Complete

Shown to all new users before any special category data is processed

DASH Domestic Abuse Safety Gate

Complete

Deterministic (non-AI) gate with 40+ patterns; CRITICAL tier blocks AI and shows non-dismissible crisis modal with NSPCC (0808 800 5000) and Samaritans (116 123)

DASH Audit Log

Complete

Anonymised DASH screening events logged for regulatory compliance

Special Category Data Encryption

Complete

All data encrypted at rest (AES-256) and in transit (TLS 1.3) via Supabase

Processor Agreements (Art. 28)

0/7 complete

Supabase Inc. — DPA

In Progress

DPA available at supabase.com/dpa — must be executed before full launch

View →

Anthropic PBC — DPA

In Progress

Data Processing Addendum available — must be executed before full launch

View →

OpenAI LLC — DPA

In Progress

Data Processing Addendum available — must be executed before full launch

View →

Stripe Inc. — DPA

In Progress

Stripe Data Processing Agreement available — must be executed

View →

Resend Inc. — DPA

In Progress

DPA required for transactional email processing

Perplexity AI — DPA + PII Stripping

In Progress

No Article 28 DPA executed. PII-stripping implemented as interim measure — all personal data stripped before Perplexity API calls. DPA required before full launch.

Calendly LLC — DPA

In Progress

DPA available at calendly.com/legal/dpa

View →

AI Governance

8/8 complete

AI Disclaimer & Limitations

Complete

Clear AI disclaimers on all AI-generated content; mandatory human review before court submission

No Automated Decision-Making

Complete

No Article 22 automated decisions with legal effect — all AI output requires human review

AI Safety Institute Clarification

Complete

Platform correctly identifies ICO (not AISI) as the relevant regulator

Embedding Model (voyage-3.5)

Complete

voyage-3.5 configured as active embedding model; pgvector storage implemented

Court of Protection Hard Block

Complete

AI agent hard-coded to refuse Court of Protection / MCA 2005 matters and display Official Solicitor referral

Public Law PLO Detection + Legal Aid Gate

Complete

AI agent detects care proceedings / PLO triggers and displays mandatory legal aid gate before any guidance

BAILII Unreported Cases Disclosure

Complete

Mandatory disclosure added to all AI responses citing case law: results represent reported principles only — the majority of family court decisions are never published

Perplexity PII Stripping

Complete

PII-stripping function implemented in legal-research API route — removes names, postcodes, phone numbers, email addresses, case references, NI numbers, and addresses before every Perplexity call

Legal Compliance

5/5 complete

McKenzie Friend Guidance Accuracy

Complete

Corrected per McKenzie v McKenzie [1970]; Legal Services Act 2007 boundaries accurate

SRA Sandbox References Removed

Complete

All SRA sandbox references removed — CourtCraft is not a regulated legal firm

ICO Registration Displayed

Complete

ZB812547 displayed in Privacy Policy, DPIA, consent modal, and GDPR widget

Terms of Service

Complete

UK-law governed terms with accurate McKenzie Friend and liability provisions

View →

Non-Restoration Principle Warning

Complete

Onboarding Step 1 now displays mandatory warning that consumer AI use constitutes irreversible confidentiality breach that cannot be restored by any subsequent DPA

External Legal Actions Required

0/8 complete

Voyage AI — IDTA / Article 46 Transfer Mechanism

Pending

REQUIRED BEFORE LAUNCH: Voyage AI has no EU/UK region. An International Data Transfer Agreement (IDTA) is required under Article 46 UK GDPR for special category data. Resolution options: (1) Execute IDTA with Voyage AI; (2) Route via Azure UK South deployment; (3) Self-host on AWS eu-west-2. Current direct API call to api.voyageai.com is an Article 46 violation for special category data.

Anthropic PBC — IDTA + UK-US Data Bridge Trigger Clause

Pending

REQUIRED BEFORE LAUNCH: Anthropic API is used directly (not via AWS Bedrock). An IDTA is required with 4 non-standard terms including an automatic trigger clause for UK-US Data Bridge suspension. Anthropic Schedule B.3 special category amendment required. Estimated cost: £2,000–£4,000 legal fees. Alternative: migrate to AWS Bedrock eu-west-2.

Tiered Data Architecture Enforcement

Pending

ARCHITECTURAL REQUIREMENT: Report mandates Tier 1 (divorce/financial remedy) via AWS Bedrock eu-west-2 only; Tier 2 (child arrangements) with human review gate; Tier 3 (domestic abuse/PD12J/CAFCASS) via Mac Studio M4 Max local processing ONLY — never cloud API. Currently all AI requests route through the same API regardless of data sensitivity. Tier 3 prohibition is architecturally violated for DASH-flagged cases.

Supabase Region Confirmation (eu-west-2)

Pending

IRREVERSIBLE DECISION: Supabase region must be confirmed as eu-west-2 (London) before first production client data. This decision cannot be changed after data is stored. Confirm region in Supabase dashboard and document as Gate Evidence G1. No confirmation on record.

Professional Indemnity & Cyber Insurance

Pending

REQUIRED BEFORE PHASE 2 (first production client data): E&O (Errors & Omissions) and Cyber Liability insurance must be bound. Recommended brokers: Insure24, Lockton. This is a hard gate before accepting paying clients with live case data.

LSA 2007 Written Legal Opinion

Pending

REQUIRED BEFORE LAUNCH: A written legal opinion from a qualified solicitor confirming CourtCraft's activities are non-reserved under the Legal Services Act 2007. Estimated cost: £3,500. This opinion is required for investor due diligence and regulatory credibility. Not yet commissioned.

TNA Computational Analysis Licence

Pending

REQUIRED BEFORE RAG CORPUS CONSTRUCTION: A licence from The National Archives (TNA) is required before using the TNA Find Case Law API for RAG corpus construction. BAILII Terms of Service prohibit bulk downloading. No TNA licence has been applied for.

Phase 0 Kill-Switch Test (Gate Evidence G11)

Pending

REQUIRED BEFORE LAUNCH: Documented Phase 0 kill-switch test comparing voyage-3.5 vs voyage-law-2 vs Qwen3 8B on 3 UK family court documents with 30 queries. Results must be logged as Gate Evidence G11. No test has been conducted or documented.

Regulatory Contacts

Data Controller

CourtCraft Advocate Ltd

ICO Reg. ZB812547

Privacy Contact

privacy@courtcraftadvocate.com

Data subject rights requests

ICO Supervisory Authority

Information Commissioner's Office

ico.org.uk | 0303 123 1113

ICO Breach Portal

ico.org.uk/for-organisations/report-a-breach/

72-hour notification window