Compliance Documentation

Data Protection Impact Assessment

Article 35 UK GDPR  |  Version 1.0  |  Last updated: 29 May 2026

ICO Registered Data Controller

CourtCraft Advocate Ltd — ICO Registration No. ZB812547

Verify on ICO Register → | ICO Sandbox →

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a process required under Article 35 of the UK GDPR when processing is likely to result in a high risk to individuals' rights and freedoms. It helps organisations identify and minimise data protection risks before processing begins. The ICO requires a DPIA for processing that involves systematic processing of special category data, use of new technologies, or large-scale processing of sensitive personal data.

1

Overview and Purpose of This DPIA

This Data Protection Impact Assessment (DPIA) has been prepared by CourtCraft Advocate Ltd in accordance with Article 35 of the UK General Data Protection Regulation (UK GDPR) and the guidance issued by the Information Commissioner's Office (ICO).

A DPIA is required where processing is likely to result in a high risk to the rights and freedoms of individuals. CourtCraft Advocate processes special category personal data (Article 9 UK GDPR) — including information about family law proceedings, domestic abuse, health, and financial vulnerability — using AI-assisted tools. This combination of special category data and AI processing triggers the DPIA requirement.

ICO Registration

CourtCraft Advocate Ltd — ICO Registration No. ZB812547

Verify on ICO Register →

⚠️ DPIA Status

This DPIA is a living document. It was first prepared in May 2026 and will be reviewed annually or whenever a significant change to processing activities occurs. It must be reviewed and signed off by a qualified Data Protection Officer (DPO) before full commercial launch.

2

Description of Processing Activities

CourtCraft Advocate processes personal data through the following activities:

AI-Assisted Legal Guidance

High Risk

Users submit queries about their family law proceedings. These queries are processed by AI language models (Anthropic Claude, OpenAI GPT) to generate legal guidance. Queries may contain special category data including domestic abuse disclosures, health information, and financial vulnerability.

Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(f) legal claims

DASH Domestic Abuse Risk Gate

Medium Risk

A deterministic (non-AI) decision tree screens all user inputs for domestic abuse indicators before any AI processing occurs. This gate operates on pattern matching only — no AI inference is applied to domestic abuse disclosures.

Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(g) substantial public interest

Case Data Storage

High Risk

Users store case details, court dates, timeline events, documents, and communications in their secure vault. This data is stored in Supabase (EU data centres) with row-level security.

Legal basis: Article 6(1)(b) contract performance; Article 9(2)(a) explicit consent

Document Generation

High Risk

AI tools generate court documents (position statements, witness statements, chronologies) based on user-provided case data. Generated documents may contain special category data.

Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(f) legal claims

McKenzie Friend Session Booking

Low Risk

Users book paid McKenzie Friend support sessions. Booking data (name, contact details, session type) is processed via Calendly and Stripe.

Legal basis: Article 6(1)(b) contract performance

Analytics and Platform Improvement

Low Risk

Anonymised usage data is collected via Google Analytics (where consent is given) to improve platform features.

Legal basis: Article 6(1)(a) consent; Article 6(1)(f) legitimate interests

3

Necessity and Proportionality

CourtCraft Advocate has assessed the necessity and proportionality of each processing activity against the purposes pursued:

Data Minimisation

Users are advised not to enter third-party personal data beyond what is strictly necessary for their own case preparation. The platform does not require users to enter health data, sexual orientation, or other sensitive data unless directly relevant to their proceedings.

Purpose Limitation

Data entered into the platform is used solely to provide the CourtCraft service. It is not used for AI model training, marketing profiling, or any secondary purpose without explicit consent.

Storage Limitation

Case and document data is retained for the duration of the subscription plus 12 months. Payment records are retained for 7 years (HMRC requirement). Security logs are retained for 12 months.

Accuracy

Users have the right to rectify inaccurate data via the GDPR Compliance Centre in their dashboard. AI-generated content is clearly labelled as AI-generated and must be reviewed by the user before use.

Security

All data is encrypted at rest and in transit (TLS 1.3). Row-level security is applied at the database level. Access controls restrict data access to the authenticated user only.

4

Risk Identification and Assessment

The following risks have been identified and assessed:

RiskLikelihoodSeverityResidual RiskMitigation
Unauthorised access to special category dataLowHighLowRow-level security, encryption at rest/transit, MFA available, session fingerprinting
AI model generating harmful or inaccurate legal guidanceMediumHighMediumClear AI disclaimers, mandatory human review before court submission, DASH gate for domestic abuse
Domestic abuse disclosure reaching third partiesLowCriticalLowDASH gate is deterministic (non-AI), no third-party transmission of abuse disclosures, audit log
Data transfer to non-UK processors without adequate safeguardsMediumHighHIGH — UNMITIGATEDSCCs in place for most processors. IDTA with Anthropic and Voyage AI NOT YET EXECUTED — Article 46 violation active.
User enters third-party data without lawful basisMediumMediumMediumPrivacy policy warns users; platform advises minimising third-party data entry
Data breach exposing case dataLowHighLowEncryption, access controls, incident response plan, ICO breach notification within 72 hours
AI processing creating automated decisions with legal effectLowHighLowAI provides guidance only; no automated decisions are made; human review required for all outputs
Supabase data stored outside UK/EU without confirmationMediumHighHIGH — UNMITIGATEDSupabase region must be confirmed as eu-west-2 before first production data. No confirmation on record.

⚠️ Article 36 Prior Consultation Required — Unmitigated High Residual Risks Identified

This DPIA has identified 2 risks with HIGH unmitigated residual risk that cannot be reduced to an acceptable level without external action. Under Article 36 of the UK GDPR, where a DPIA indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult the ICO prior to processing.

Unmitigated Risk: Data transfer to Anthropic / Voyage AI without IDTA

Required action: Execute IDTA with Anthropic PBC and Voyage AI, or migrate to AWS Bedrock eu-west-2 / Azure UK South

Unmitigated Risk: Supabase region unconfirmed — data may be stored outside UK/EU

Required action: Confirm eu-west-2 region in Supabase dashboard before first production data

ICO Prior Consultation — Action Required

Until these risks are mitigated, CourtCraft Advocate Ltd must either: (a) consult the ICO under Article 36 before processing live user data, or (b) resolve the unmitigated risks before launch. ICO prior consultation requests are submitted via: ico.org.uk/dpia-consultation →

5

Third-Party Processors and Article 28 Compliance

Under Article 28 UK GDPR, CourtCraft Advocate must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. The following processors are engaged:

Supabase Inc.

Art. 28

Role: Database, authentication, storage

Location: EU (eu-west-1)

Transfer mechanism: SCCs + UK Addendum

DPA: supabase.com/dpa

⚠️ DPA required before launch

Anthropic PBC

Art. 28

Role: AI language model (Claude)

Location: USA

Transfer mechanism: SCCs + UK Addendum

DPA: anthropic.com/legal/data-processing-addendum

⚠️ DPA required before launch

OpenAI LLC

Art. 28

Role: AI language model, image generation

Location: USA

Transfer mechanism: SCCs + UK Addendum

DPA: openai.com/policies/data-processing-addendum

⚠️ DPA required before launch

Stripe Inc.

Art. 28

Role: Payment processing

Location: USA / EU

Transfer mechanism: SCCs (covered by Stripe Services Agreement)

DPA: stripe.com/legal/dpa

⚠️ Covered by Stripe Services Agreement

Perplexity AI Inc.

Art. 28

Role: AI-assisted legal research

Location: USA

Transfer mechanism: SCCs + UK Addendum

DPA: perplexity.ai/privacy

⚠️ DPA required before launch

Calendly LLC

Art. 28

Role: McKenzie Friend session scheduling

Location: USA

Transfer mechanism: SCCs + UK Addendum

DPA: calendly.com/dpa

⚠️ DPA required before launch

Resend Inc.

Art. 28

Role: Transactional email delivery

Location: USA

Transfer mechanism: SCCs

DPA: resend.com/legal/dpa

⚠️ DPA required before launch

Vercel Inc.

Art. 28

Role: Platform hosting and deployment

Location: USA / EU

Transfer mechanism: SCCs

DPA: vercel.com/legal/dpa

⚠️ Covered by Vercel DPA

Action Required Before Full Commercial Launch

Data Processing Agreements must be formally executed with Supabase, Anthropic, OpenAI, Perplexity, and Calendly before processing live user data at commercial scale. Standard Contractual Clauses (SCCs) with the UK Addendum must be in place for all US-based processors. Contact privacy@courtcraftadvocate.com to initiate DPA execution.

6

Consultation and Sign-Off

Under Article 35(2) UK GDPR, the data controller must seek the advice of the Data Protection Officer (DPO) when carrying out a DPIA. Under Article 36, if the DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk, the controller must consult the ICO prior to processing.

DPO Review

Pending

This DPIA must be reviewed and signed off by a qualified Data Protection Officer before full commercial launch. A DPO appointment or external DPO service engagement is required.

ICO Sandbox Application

Pending

CourtCraft Advocate should apply to the ICO Regulatory Sandbox (ico.org.uk/for-organisations/advice-for-small-organisations/ico-sandbox) to obtain regulatory guidance on the AI-assisted legal guidance use case.

ICO Prior Consultation (Article 36)

Under Assessment

Given the high-risk nature of processing special category data with AI, prior consultation with the ICO under Article 36 may be required. This will be determined following DPO review.

Annual DPIA Review

Scheduled

This DPIA will be reviewed annually (next review: May 2027) and whenever a significant change to processing activities occurs (e.g., new AI model, new data category, new processor).

DPIA Document Control

Version: 1.0 | Prepared: May 2026 | Next Review: May 2027

Prepared by: CourtCraft Advocate Ltd

Contact: privacy@courtcraftadvocate.com

7

Data Protection Officer — Appointment & Exemption Assessment

Under Article 37 of the UK GDPR, a Data Protection Officer (DPO) must be appointed where the controller carries out large-scale processing of special category data. This section documents CourtCraft Advocate Ltd's assessment of the DPO obligation.

Article 37 Trigger Assessment

N/A

Article 37(1)(a) — Public authority or body

CourtCraft Advocate Ltd is a private limited company. It is not a public authority or body. This trigger does not apply.

N/A

Article 37(1)(b) — Large-scale systematic monitoring of individuals

CourtCraft does not carry out systematic monitoring of individuals as a core activity. Analytics are limited and consent-based. This trigger does not apply.

APPLIES

Article 37(1)(c) — Large-scale processing of special category data (Article 9)

CourtCraft processes special category data (family law proceedings, domestic abuse disclosures, health information, financial vulnerability) as a core activity. The ICO guidance states that "large-scale" includes processing that covers a significant proportion of the population in a region. As a national platform, this trigger is likely to apply at commercial scale.

Conclusion: DPO Appointment Required

Based on the above assessment, CourtCraft Advocate Ltd is likely required to appoint a DPO under Article 37(1)(c) UK GDPR. The processing of special category data (domestic abuse disclosures, family law proceedings, health information) as a core platform activity at national scale triggers this obligation. Even if the "large-scale" threshold is not yet met at current user numbers, the ICO recommends appointing a DPO as best practice for any organisation processing Article 9 data.

DPO Appointment Options:

Internal DPO: Appoint a qualified employee with data protection expertise. Must have no conflict of interest with their other duties. Requires CIPP/E or equivalent qualification.
External DPO Service: Engage a specialist DPO-as-a-service provider (e.g., DPO Centre, Evalian, Protecture). Typical cost: £3,000–£8,000/year. Recommended for early-stage companies.
Voluntary DPO (if not legally required): If the legal threshold is not yet met, appoint a voluntary DPO as best practice. ICO recommends this for all Article 9 processors.

DPO Responsibilities (Article 39)

Inform and advise: Inform and advise the controller and employees of their obligations under UK GDPR
Monitor compliance: Monitor compliance with UK GDPR, DPA 2018, and other data protection provisions
DPIA advice: Provide advice on DPIAs and monitor their performance (Article 35)
ICO cooperation: Cooperate with and act as contact point for the ICO
Data subject contact: Act as contact point for data subjects exercising their rights

Current Status — May 2026

No DPO has been appointed as of May 2026. This DPIA cannot be formally signed off until a DPO has reviewed and approved it. DPO appointment is a pre-launch requirement. Recommended action: engage an external DPO service (e.g., DPO Centre at dpocentre.com or Evalian at evalian.co.uk) before first production user data is processed.

8

DUAA 2025 — Article 22B Automated Processing Documentation

Under Article 22B of the Digital Information and Smart Data Act 2025 (DUAA 2025), automated processing of Article 9 special category data — including domestic abuse case data — must be documented with technical and organisational safeguards. CourtCraft Advocate must maintain this documentation as a living document, updated on any change to automated processing activities.

⚠️ DUAA 2025 Article 22B — Living Document Obligation

This section constitutes CourtCraft Advocate's Article 22B documentation. It must be reviewed and updated whenever any automated processing activity involving Article 9 data changes — including changes to AI models, processing logic, data flows, or technical safeguards.

DASH Domestic Abuse Risk Gate

Article 9 Special Category Data

Deterministic pattern matching screen applied to all user inputs before any AI processing. Routes high-risk disclosures to crisis resources. Maintains anonymised audit log.

Lawful Basis (Article 9)

Article 9(2)(g) — substantial public interest (Domestic Abuse Act 2021, Schedule 1, para 18)

Technical Safeguards

  • Deterministic pattern matching only — no AI inference applied to domestic abuse disclosures
  • No personal identifiers stored in DASH audit log — anonymised events only
  • Non-dismissible crisis modal for CRITICAL tier
  • NSPCC (0808 800 5000) and Samaritans (116 123) displayed immediately

Organisational Safeguards

  • DASH gate operates before any AI processing — cannot be bypassed
  • Crisis resources reviewed quarterly for accuracy
  • DASH audit log reviewed by DPO on appointment

AI-Assisted Legal Guidance (Live Chat)

Article 9 Special Category Data

AI language model (Anthropic Claude) processes user queries to generate UK family law procedural guidance. May process special category data disclosed in chat including domestic abuse details, health information, and financial vulnerability.

Lawful Basis (Article 9)

Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims

Technical Safeguards

  • DASH gate pre-screening before every AI call
  • Article 9 special category data detection with automatic enhanced audit logging
  • No AI model training on user data (zero data retention API tier)
  • Session-scoped processing only — no cross-session data aggregation
  • special_category=TRUE flag on all stored session records containing Article 9 data

Organisational Safeguards

  • Mandatory session opening disclaimer on every chat session
  • Legal advice boundary enforcement — no outcome prediction or strategy advice
  • Safety escalation protocol with emergency contact display
  • Purpose limitation: Article 9 data used only for active case guidance

AI Document Generation (Document Builder)

Article 9 Special Category Data

AI language model generates court documents based on user-provided case data. Documents may contain special category data including domestic abuse allegations, health information, and financial vulnerability.

Lawful Basis (Article 9)

Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims

Technical Safeguards

  • special_category=TRUE flag automatically set on vault records when Article 9 data detected
  • Enhanced audit logging with special_category_flag=true and lawful_basis recorded
  • Data minimisation: AI instructed not to include special category data beyond what is strictly necessary
  • No cross-case data aggregation in document generation

Organisational Safeguards

  • Mandatory AI disclaimer on all generated documents
  • Human review required before court submission
  • Document version control — all versions retained
  • Article 9(2)(f) basis documented in every audit log entry

pgvector Semantic Search on Case Data

Article 9 Special Category Data

Vector embedding search across user case data for AI-assisted retrieval. Embeddings may encode special category data from case files.

Lawful Basis (Article 9)

Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims

Technical Safeguards

  • SECURITY INVOKER RLS enforcement on all pgvector tables — user-scoped search only
  • No cross-user embedding retrieval possible
  • Embeddings encrypted at rest (AES-256)
  • Embedding model (voyage-3.5) documented — no special category data used for model training

Organisational Safeguards

  • Embeddings scoped to authenticated user only — no cross-case aggregation
  • Embedding model change requires DPIA update under DUAA 2025 Article 22B
  • pgvector tables subject to same RLS policies as source data tables

DUAA 2025 Article 22B — Document Control

Version: 1.0 | Prepared: June 2026 | Status: Living Document

This section must be updated whenever: (a) a new AI model is deployed, (b) a new automated processing activity involving Article 9 data is introduced, (c) technical or organisational safeguards change, or (d) a new sub-processor processes Article 9 data.

9

Regulatory Precedents — Snap My AI and DPP Law

The following ICO enforcement decisions are directly relevant to CourtCraft Advocate's processing activities and must be referenced in any ICO Sandbox application or regulatory engagement. They demonstrate the ICO's enforcement posture on AI systems processing personal data without adequate transparency and lawful basis.

Snap My AI — ICO Enforcement (2023)

AI chatbot deployed without adequate DPIA for children

ICO Precedent

Matter

Snap Inc. deployed an AI chatbot ("My AI") to Snapchat users, including children, without conducting an adequate DPIA. The ICO issued a preliminary enforcement notice finding that Snap had failed to properly assess the risks to children posed by the AI feature before launch.

Relevance to CourtCraft

CourtCraft Advocate processes special category data (domestic abuse disclosures, family law proceedings) using AI. This precedent confirms the ICO will enforce Article 35 DPIA requirements against AI platforms processing sensitive personal data. This DPIA was prepared in direct response to this enforcement posture.

ICO Finding

Failure to identify and mitigate risks before deployment constitutes a breach of the UK GDPR accountability principle (Article 5(2)) and the DPIA obligation (Article 35). The ICO expects DPIAs to be completed before processing begins.

CourtCraft Mitigation

This DPIA was prepared prior to full commercial launch. DPO review is required before live user data is processed at commercial scale. DASH gate operates deterministically before any AI processing of domestic abuse disclosures.

DPP Law — ICO Fine (2024)

£60,000 fine for inadequate security of sensitive legal files

ICO Precedent

Matter

DPP Law Ltd, a UK law firm, was fined £60,000 by the ICO following a data breach in which client files — including highly sensitive personal injury and criminal matter files — were exposed due to inadequate security measures. The ICO found that DPP Law had failed to implement appropriate technical and organisational measures under Article 32 UK GDPR.

Relevance to CourtCraft

CourtCraft processes highly sensitive legal matter data (domestic abuse disclosures, child arrangements proceedings, financial remedy details) that is equivalent in sensitivity to the client files at issue in DPP Law. This precedent confirms the ICO will impose significant fines on legal sector organisations that fail to secure sensitive personal data.

ICO Finding

Legal sector organisations processing sensitive client data must implement security measures commensurate with the risk. The ICO specifically noted that legal matter data attracts the highest level of protection obligation under Article 32.

CourtCraft Mitigation

Row-level security (RLS) enforced via Supabase on all user data tables; pgvector embeddings protected by SECURITY INVOKER RLS enforcement (not SECURITY DEFINER); all data stored in EU data centres; Article 32 security measures documented in Section 4 of this DPIA.

📋 ICO Sandbox Application — Cite Both Precedents

Both precedents should be cited in CourtCraft Advocate's ICO Sandbox application to demonstrate regulatory awareness and to distinguish CourtCraft's compliance posture from the deficiencies identified in these enforcement actions. Citing these cases demonstrates that CourtCraft has conducted a thorough regulatory landscape review and has implemented specific mitigations in response to ICO enforcement priorities.

Reference: ICO Regulatory Sandbox →

© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.
Owner: CourtCraftAdvocate Ltd. Proprietary and confidential.