Compliance Documentation
Data Protection Impact Assessment
Article 35 UK GDPR | Version 1.0 | Last updated: 29 May 2026
ICO Registered Data Controller
CourtCraft Advocate Ltd — ICO Registration No. ZB812547
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a process required under Article 35 of the UK GDPR when processing is likely to result in a high risk to individuals' rights and freedoms. It helps organisations identify and minimise data protection risks before processing begins. The ICO requires a DPIA for processing that involves systematic processing of special category data, use of new technologies, or large-scale processing of sensitive personal data.
Overview and Purpose of This DPIA
This Data Protection Impact Assessment (DPIA) has been prepared by CourtCraft Advocate Ltd in accordance with Article 35 of the UK General Data Protection Regulation (UK GDPR) and the guidance issued by the Information Commissioner's Office (ICO).
A DPIA is required where processing is likely to result in a high risk to the rights and freedoms of individuals. CourtCraft Advocate processes special category personal data (Article 9 UK GDPR) — including information about family law proceedings, domestic abuse, health, and financial vulnerability — using AI-assisted tools. This combination of special category data and AI processing triggers the DPIA requirement.
⚠️ DPIA Status
This DPIA is a living document. It was first prepared in May 2026 and will be reviewed annually or whenever a significant change to processing activities occurs. It must be reviewed and signed off by a qualified Data Protection Officer (DPO) before full commercial launch.
Description of Processing Activities
CourtCraft Advocate processes personal data through the following activities:
AI-Assisted Legal Guidance
High RiskUsers submit queries about their family law proceedings. These queries are processed by AI language models (Anthropic Claude, OpenAI GPT) to generate legal guidance. Queries may contain special category data including domestic abuse disclosures, health information, and financial vulnerability.
Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(f) legal claims
DASH Domestic Abuse Risk Gate
Medium RiskA deterministic (non-AI) decision tree screens all user inputs for domestic abuse indicators before any AI processing occurs. This gate operates on pattern matching only — no AI inference is applied to domestic abuse disclosures.
Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(g) substantial public interest
Case Data Storage
High RiskUsers store case details, court dates, timeline events, documents, and communications in their secure vault. This data is stored in Supabase (EU data centres) with row-level security.
Legal basis: Article 6(1)(b) contract performance; Article 9(2)(a) explicit consent
Document Generation
High RiskAI tools generate court documents (position statements, witness statements, chronologies) based on user-provided case data. Generated documents may contain special category data.
Legal basis: Article 9(2)(a) explicit consent; Article 9(2)(f) legal claims
McKenzie Friend Session Booking
Low RiskUsers book paid McKenzie Friend support sessions. Booking data (name, contact details, session type) is processed via Calendly and Stripe.
Legal basis: Article 6(1)(b) contract performance
Analytics and Platform Improvement
Low RiskAnonymised usage data is collected via Google Analytics (where consent is given) to improve platform features.
Legal basis: Article 6(1)(a) consent; Article 6(1)(f) legitimate interests
Necessity and Proportionality
CourtCraft Advocate has assessed the necessity and proportionality of each processing activity against the purposes pursued:
Data Minimisation
Users are advised not to enter third-party personal data beyond what is strictly necessary for their own case preparation. The platform does not require users to enter health data, sexual orientation, or other sensitive data unless directly relevant to their proceedings.
Purpose Limitation
Data entered into the platform is used solely to provide the CourtCraft service. It is not used for AI model training, marketing profiling, or any secondary purpose without explicit consent.
Storage Limitation
Case and document data is retained for the duration of the subscription plus 12 months. Payment records are retained for 7 years (HMRC requirement). Security logs are retained for 12 months.
Accuracy
Users have the right to rectify inaccurate data via the GDPR Compliance Centre in their dashboard. AI-generated content is clearly labelled as AI-generated and must be reviewed by the user before use.
Security
All data is encrypted at rest and in transit (TLS 1.3). Row-level security is applied at the database level. Access controls restrict data access to the authenticated user only.
Risk Identification and Assessment
The following risks have been identified and assessed:
| Risk | Likelihood | Severity | Residual Risk | Mitigation |
|---|---|---|---|---|
| Unauthorised access to special category data | Low | High | Low | Row-level security, encryption at rest/transit, MFA available, session fingerprinting |
| AI model generating harmful or inaccurate legal guidance | Medium | High | Medium | Clear AI disclaimers, mandatory human review before court submission, DASH gate for domestic abuse |
| Domestic abuse disclosure reaching third parties | Low | Critical | Low | DASH gate is deterministic (non-AI), no third-party transmission of abuse disclosures, audit log |
| Data transfer to non-UK processors without adequate safeguards | Medium | High | HIGH — UNMITIGATED | SCCs in place for most processors. IDTA with Anthropic and Voyage AI NOT YET EXECUTED — Article 46 violation active. |
| User enters third-party data without lawful basis | Medium | Medium | Medium | Privacy policy warns users; platform advises minimising third-party data entry |
| Data breach exposing case data | Low | High | Low | Encryption, access controls, incident response plan, ICO breach notification within 72 hours |
| AI processing creating automated decisions with legal effect | Low | High | Low | AI provides guidance only; no automated decisions are made; human review required for all outputs |
| Supabase data stored outside UK/EU without confirmation | Medium | High | HIGH — UNMITIGATED | Supabase region must be confirmed as eu-west-2 before first production data. No confirmation on record. |
⚠️ Article 36 Prior Consultation Required — Unmitigated High Residual Risks Identified
This DPIA has identified 2 risks with HIGH unmitigated residual risk that cannot be reduced to an acceptable level without external action. Under Article 36 of the UK GDPR, where a DPIA indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult the ICO prior to processing.
Unmitigated Risk: Data transfer to Anthropic / Voyage AI without IDTA
Required action: Execute IDTA with Anthropic PBC and Voyage AI, or migrate to AWS Bedrock eu-west-2 / Azure UK South
Unmitigated Risk: Supabase region unconfirmed — data may be stored outside UK/EU
Required action: Confirm eu-west-2 region in Supabase dashboard before first production data
ICO Prior Consultation — Action Required
Until these risks are mitigated, CourtCraft Advocate Ltd must either: (a) consult the ICO under Article 36 before processing live user data, or (b) resolve the unmitigated risks before launch. ICO prior consultation requests are submitted via: ico.org.uk/dpia-consultation →
Third-Party Processors and Article 28 Compliance
Under Article 28 UK GDPR, CourtCraft Advocate must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. The following processors are engaged:
Supabase Inc.
Art. 28Role: Database, authentication, storage
Location: EU (eu-west-1)
Transfer mechanism: SCCs + UK Addendum
DPA: supabase.com/dpa
⚠️ DPA required before launch
Anthropic PBC
Art. 28Role: AI language model (Claude)
Location: USA
Transfer mechanism: SCCs + UK Addendum
⚠️ DPA required before launch
OpenAI LLC
Art. 28Role: AI language model, image generation
Location: USA
Transfer mechanism: SCCs + UK Addendum
⚠️ DPA required before launch
Stripe Inc.
Art. 28Role: Payment processing
Location: USA / EU
Transfer mechanism: SCCs (covered by Stripe Services Agreement)
DPA: stripe.com/legal/dpa
⚠️ Covered by Stripe Services Agreement
Perplexity AI Inc.
Art. 28Role: AI-assisted legal research
Location: USA
Transfer mechanism: SCCs + UK Addendum
⚠️ DPA required before launch
Calendly LLC
Art. 28Role: McKenzie Friend session scheduling
Location: USA
Transfer mechanism: SCCs + UK Addendum
DPA: calendly.com/dpa
⚠️ DPA required before launch
Resend Inc.
Art. 28⚠️ DPA required before launch
Vercel Inc.
Art. 28Role: Platform hosting and deployment
Location: USA / EU
Transfer mechanism: SCCs
DPA: vercel.com/legal/dpa
⚠️ Covered by Vercel DPA
Action Required Before Full Commercial Launch
Data Processing Agreements must be formally executed with Supabase, Anthropic, OpenAI, Perplexity, and Calendly before processing live user data at commercial scale. Standard Contractual Clauses (SCCs) with the UK Addendum must be in place for all US-based processors. Contact privacy@courtcraftadvocate.com to initiate DPA execution.
Consultation and Sign-Off
Under Article 35(2) UK GDPR, the data controller must seek the advice of the Data Protection Officer (DPO) when carrying out a DPIA. Under Article 36, if the DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk, the controller must consult the ICO prior to processing.
DPO Review
PendingThis DPIA must be reviewed and signed off by a qualified Data Protection Officer before full commercial launch. A DPO appointment or external DPO service engagement is required.
ICO Sandbox Application
PendingCourtCraft Advocate should apply to the ICO Regulatory Sandbox (ico.org.uk/for-organisations/advice-for-small-organisations/ico-sandbox) to obtain regulatory guidance on the AI-assisted legal guidance use case.
ICO Prior Consultation (Article 36)
Under AssessmentGiven the high-risk nature of processing special category data with AI, prior consultation with the ICO under Article 36 may be required. This will be determined following DPO review.
Annual DPIA Review
ScheduledThis DPIA will be reviewed annually (next review: May 2027) and whenever a significant change to processing activities occurs (e.g., new AI model, new data category, new processor).
DPIA Document Control
Version: 1.0 | Prepared: May 2026 | Next Review: May 2027
Prepared by: CourtCraft Advocate Ltd
Contact: privacy@courtcraftadvocate.com
Data Protection Officer — Appointment & Exemption Assessment
Under Article 37 of the UK GDPR, a Data Protection Officer (DPO) must be appointed where the controller carries out large-scale processing of special category data. This section documents CourtCraft Advocate Ltd's assessment of the DPO obligation.
Article 37 Trigger Assessment
Article 37(1)(a) — Public authority or body
CourtCraft Advocate Ltd is a private limited company. It is not a public authority or body. This trigger does not apply.
Article 37(1)(b) — Large-scale systematic monitoring of individuals
CourtCraft does not carry out systematic monitoring of individuals as a core activity. Analytics are limited and consent-based. This trigger does not apply.
Article 37(1)(c) — Large-scale processing of special category data (Article 9)
CourtCraft processes special category data (family law proceedings, domestic abuse disclosures, health information, financial vulnerability) as a core activity. The ICO guidance states that "large-scale" includes processing that covers a significant proportion of the population in a region. As a national platform, this trigger is likely to apply at commercial scale.
Conclusion: DPO Appointment Required
Based on the above assessment, CourtCraft Advocate Ltd is likely required to appoint a DPO under Article 37(1)(c) UK GDPR. The processing of special category data (domestic abuse disclosures, family law proceedings, health information) as a core platform activity at national scale triggers this obligation. Even if the "large-scale" threshold is not yet met at current user numbers, the ICO recommends appointing a DPO as best practice for any organisation processing Article 9 data.
DPO Appointment Options:
DPO Responsibilities (Article 39)
Current Status — May 2026
No DPO has been appointed as of May 2026. This DPIA cannot be formally signed off until a DPO has reviewed and approved it. DPO appointment is a pre-launch requirement. Recommended action: engage an external DPO service (e.g., DPO Centre at dpocentre.com or Evalian at evalian.co.uk) before first production user data is processed.
DUAA 2025 — Article 22B Automated Processing Documentation
Under Article 22B of the Digital Information and Smart Data Act 2025 (DUAA 2025), automated processing of Article 9 special category data — including domestic abuse case data — must be documented with technical and organisational safeguards. CourtCraft Advocate must maintain this documentation as a living document, updated on any change to automated processing activities.
⚠️ DUAA 2025 Article 22B — Living Document Obligation
This section constitutes CourtCraft Advocate's Article 22B documentation. It must be reviewed and updated whenever any automated processing activity involving Article 9 data changes — including changes to AI models, processing logic, data flows, or technical safeguards.
DASH Domestic Abuse Risk Gate
Article 9 Special Category DataDeterministic pattern matching screen applied to all user inputs before any AI processing. Routes high-risk disclosures to crisis resources. Maintains anonymised audit log.
Lawful Basis (Article 9)
Article 9(2)(g) — substantial public interest (Domestic Abuse Act 2021, Schedule 1, para 18)
Technical Safeguards
- Deterministic pattern matching only — no AI inference applied to domestic abuse disclosures
- No personal identifiers stored in DASH audit log — anonymised events only
- Non-dismissible crisis modal for CRITICAL tier
- NSPCC (0808 800 5000) and Samaritans (116 123) displayed immediately
Organisational Safeguards
- DASH gate operates before any AI processing — cannot be bypassed
- Crisis resources reviewed quarterly for accuracy
- DASH audit log reviewed by DPO on appointment
AI-Assisted Legal Guidance (Live Chat)
Article 9 Special Category DataAI language model (Anthropic Claude) processes user queries to generate UK family law procedural guidance. May process special category data disclosed in chat including domestic abuse details, health information, and financial vulnerability.
Lawful Basis (Article 9)
Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims
Technical Safeguards
- DASH gate pre-screening before every AI call
- Article 9 special category data detection with automatic enhanced audit logging
- No AI model training on user data (zero data retention API tier)
- Session-scoped processing only — no cross-session data aggregation
- special_category=TRUE flag on all stored session records containing Article 9 data
Organisational Safeguards
- Mandatory session opening disclaimer on every chat session
- Legal advice boundary enforcement — no outcome prediction or strategy advice
- Safety escalation protocol with emergency contact display
- Purpose limitation: Article 9 data used only for active case guidance
AI Document Generation (Document Builder)
Article 9 Special Category DataAI language model generates court documents based on user-provided case data. Documents may contain special category data including domestic abuse allegations, health information, and financial vulnerability.
Lawful Basis (Article 9)
Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims
Technical Safeguards
- special_category=TRUE flag automatically set on vault records when Article 9 data detected
- Enhanced audit logging with special_category_flag=true and lawful_basis recorded
- Data minimisation: AI instructed not to include special category data beyond what is strictly necessary
- No cross-case data aggregation in document generation
Organisational Safeguards
- Mandatory AI disclaimer on all generated documents
- Human review required before court submission
- Document version control — all versions retained
- Article 9(2)(f) basis documented in every audit log entry
pgvector Semantic Search on Case Data
Article 9 Special Category DataVector embedding search across user case data for AI-assisted retrieval. Embeddings may encode special category data from case files.
Lawful Basis (Article 9)
Article 9(2)(f) — processing necessary for establishment, exercise, or defence of legal claims
Technical Safeguards
- SECURITY INVOKER RLS enforcement on all pgvector tables — user-scoped search only
- No cross-user embedding retrieval possible
- Embeddings encrypted at rest (AES-256)
- Embedding model (voyage-3.5) documented — no special category data used for model training
Organisational Safeguards
- Embeddings scoped to authenticated user only — no cross-case aggregation
- Embedding model change requires DPIA update under DUAA 2025 Article 22B
- pgvector tables subject to same RLS policies as source data tables
DUAA 2025 Article 22B — Document Control
Version: 1.0 | Prepared: June 2026 | Status: Living Document
This section must be updated whenever: (a) a new AI model is deployed, (b) a new automated processing activity involving Article 9 data is introduced, (c) technical or organisational safeguards change, or (d) a new sub-processor processes Article 9 data.
Regulatory Precedents — Snap My AI and DPP Law
The following ICO enforcement decisions are directly relevant to CourtCraft Advocate's processing activities and must be referenced in any ICO Sandbox application or regulatory engagement. They demonstrate the ICO's enforcement posture on AI systems processing personal data without adequate transparency and lawful basis.
Snap My AI — ICO Enforcement (2023)
AI chatbot deployed without adequate DPIA for children
Matter
Snap Inc. deployed an AI chatbot ("My AI") to Snapchat users, including children, without conducting an adequate DPIA. The ICO issued a preliminary enforcement notice finding that Snap had failed to properly assess the risks to children posed by the AI feature before launch.
Relevance to CourtCraft
CourtCraft Advocate processes special category data (domestic abuse disclosures, family law proceedings) using AI. This precedent confirms the ICO will enforce Article 35 DPIA requirements against AI platforms processing sensitive personal data. This DPIA was prepared in direct response to this enforcement posture.
ICO Finding
Failure to identify and mitigate risks before deployment constitutes a breach of the UK GDPR accountability principle (Article 5(2)) and the DPIA obligation (Article 35). The ICO expects DPIAs to be completed before processing begins.
CourtCraft Mitigation
This DPIA was prepared prior to full commercial launch. DPO review is required before live user data is processed at commercial scale. DASH gate operates deterministically before any AI processing of domestic abuse disclosures.
DPP Law — ICO Fine (2024)
£60,000 fine for inadequate security of sensitive legal files
Matter
DPP Law Ltd, a UK law firm, was fined £60,000 by the ICO following a data breach in which client files — including highly sensitive personal injury and criminal matter files — were exposed due to inadequate security measures. The ICO found that DPP Law had failed to implement appropriate technical and organisational measures under Article 32 UK GDPR.
Relevance to CourtCraft
CourtCraft processes highly sensitive legal matter data (domestic abuse disclosures, child arrangements proceedings, financial remedy details) that is equivalent in sensitivity to the client files at issue in DPP Law. This precedent confirms the ICO will impose significant fines on legal sector organisations that fail to secure sensitive personal data.
ICO Finding
Legal sector organisations processing sensitive client data must implement security measures commensurate with the risk. The ICO specifically noted that legal matter data attracts the highest level of protection obligation under Article 32.
CourtCraft Mitigation
Row-level security (RLS) enforced via Supabase on all user data tables; pgvector embeddings protected by SECURITY INVOKER RLS enforcement (not SECURITY DEFINER); all data stored in EU data centres; Article 32 security measures documented in Section 4 of this DPIA.
📋 ICO Sandbox Application — Cite Both Precedents
Both precedents should be cited in CourtCraft Advocate's ICO Sandbox application to demonstrate regulatory awareness and to distinguish CourtCraft's compliance posture from the deficiencies identified in these enforcement actions. Citing these cases demonstrates that CourtCraft has conducted a thorough regulatory landscape review and has implemented specific mitigations in response to ICO enforcement priorities.
Reference: ICO Regulatory Sandbox →
© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.
Owner: CourtCraftAdvocate Ltd. Proprietary and confidential.