UK Sovereign Cloud

Your Data Stays
in the UK

GDPR, UK DPA 2018, FCA, SRA, ICO. Data residency guaranteed. No exceptions.

Our Commitment

Data protection and regulatory compliance are foundational to FI Digital, not afterthoughts. Our commitment is unambiguous: your data remains in UK sovereign cloud infrastructure (AWS eu-west-2 or Azure UK South) under your complete control and subject to UK law only. No exceptions.

No data is processed, stored, or transferred outside the UK without explicit written approval. This commitment applies regardless of whether you're a financial services firm (regulated by FCA), law firm (regulated by SRA), or manufacturer (regulated by Health and Safety Executive). Data protection and privacy compliance are core to our operations, not negotiable aspects of engagement.

We understand that data protection is not merely a compliance checkbox; it's fundamental to client trust and regulatory accountability. When a UK financial services firm deploys an AI system, the FCA expects the firm to maintain control of where data is processed, how it's encrypted, who can access it, and what happens to it. We enable that control through our architecture: your data stays in UK cloud infrastructure, access is logged and auditable, encryption is customer-controlled, and deletion is permanent.

We're ISO 27001 certified (Information Security Management Systems), which requires formal processes around information security governance, risk management, access control, encryption, incident response, and supplier management. Our certification is valid (annually audited by external auditors); it's not self-awarded. We also maintain SOC 2 Type II certification (System and Organization Controls) covering security, availability, processing integrity, confidentiality, and privacy.

These certifications demonstrate that we maintain rigorous security practices and that those practices are independently verified. Compliance isn't just our responsibility; it's your responsibility, and we support you by ensuring we don't become your compliance liability. You can point to our architecture, certifications, and documentation when explaining your AI deployment to regulators.

UK GDPR & Data Protection Act 2018

UK GDPR and the Data Protection Act 2018 (DPA 2018) form the legal foundation for data protection in the UK. Both apply to any organisation processing personal data of UK residents, regardless of where that organisation is located. As an AI services provider processing data on your behalf, we are your data processor; you remain the data controller.

This distinction is crucial for regulatory accountability: you decide what data is processed, for what purpose, and how long it's retained. We process data according to your instructions. This controller-processor relationship must be formalised in a Data Processing Agreement (DPA). Our standard DPA meets ICO guidance and covers: scope of processing, data categories, processing purposes, security measures, sub-processors, international transfers (we commit to UK-only processing), data subject rights, and incident response.

UK GDPR's core principles require that personal data is processed lawfully, fairly, transparently; for specified explicit purposes only; minimally; accurately maintained; retained only as long as necessary; and protected with appropriate security. Our system architecture embeds these principles.

Data minimisation: we process only the data necessary for your purposes. If you're running KYC automation, we don't ingest your entire customer database; we ingest only application records requiring verification. Accuracy: data we process is validated against source systems. Retention: data is deleted according to your retention policy automatically. Security: encryption, access controls, and monitoring protect data throughout its lifecycle.

DPA 2018 adds UK-specific requirements beyond GDPR. Organisations must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. We support your DPIA by providing documentation of our security controls, data flows, and risk management approaches. We maintain detailed records of processing activities as required by DPA 2018; you have access to these records for your statutory record-keeping.

Data Residency: AWS eu-west-2 & Azure UK South

Data residency is where your data physically exists and where it's processed. UK law requires that certain types of data (particularly personal data of UK residents and financial data of UK firms) remain in UK jurisdiction. We offer two deployment options, both of which guarantee UK data residency.

AWS eu-west-2 (London) is our primary deployment platform. AWS's London region is a full AWS region with multiple availability zones, meaning your data is redundantly stored across geographically separated data centres within the London region. If one data centre experiences failure, your data is automatically available from another centre. AWS eu-west-2 is physically located in the UK; data never leaves UK jurisdiction.

We use AWS encryption to ensure data is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are customer-managed (you control the keys, not AWS). This arrangement ensures that even AWS staff cannot decrypt your data without your key.

Azure UK South (London) is Microsoft's equivalent. Azure maintains full isolation between regions; data stored in UK South never replicates to other regions without explicit permission. Azure offers encryption at rest and in transit; key management options include customer-controlled keys. Integration with Azure services keeps workloads in UK South if you choose.

We can also integrate with your cloud account: rather than us hosting infrastructure on behalf of you, we provision infrastructure within your own AWS or Azure account. This approach gives you maximum control and visibility—you can audit our infrastructure configuration directly. For firms with stringent requirements, we support customer-managed encryption: you generate encryption keys and provide them only when processing is required.

FCA Awareness

The Financial Conduct Authority (FCA) is the primary regulator of UK financial services. The FCA doesn't prohibit AI use, but it requires firms deploying AI to maintain appropriate governance, manage risks, and maintain human accountability.

We design systems with FCA expectations in mind. Algorithmic accountability: The FCA expects firms to understand what AI systems do, to trace decision-making, and to maintain human oversight. Our systems are architected for traceability—every decision is logged with reasoning, confidence, and human approver identity. When the FCA examines a firm's AI systems, you can produce comprehensive documentation.

Data governance: The FCA expects firms to know where data comes from, how it's transformed, and where it goes. Our integration design is explicit—we document data flows, validate data quality, and flag anomalies.

Consumer protection: The FCA expects AI to protect consumers, not exploit them. Our systems are designed to flag edge cases and conflicts of interest for human review; they don't autonomously make decisions that could harm consumers.

Model risk management: We implement model monitoring, testing, and governance that aligns with FCA expectations. We don't claim to be "FCA-approved"—the FCA doesn't pre-approve specific AI systems—but we claim to be "FCA-aware," meaning we design systems and governance approaches that satisfy known FCA expectations. We can support conversations with the FCA by providing documentation and testing results.

SRA Awareness

The Solicitors Regulation Authority (SRA) regulates UK solicitors and law firms. The SRA's approach to AI is similarly expectation-based: the SRA doesn't prohibit AI, but it requires solicitors to maintain professional conduct, client confidentiality, and professional judgment. SRA Principle 4 (rule of law) and Principle 6 (ethical conduct) create expectations around AI governance.

The SRA expects law firms using AI to: maintain client confidentiality (information must be appropriately safeguarded), understand AI limitations (solicitors must not rely blindly on AI), maintain professional judgment (solicitors remain responsible for their work), and ensure appropriate oversight. Our legal AI systems are architected with SRA expectations in mind. Confidentiality: client data is processed in confidential matter workflows; data is encrypted; access is restricted. You maintain attorney-client privilege.

Professional judgment: the AI is an analytical tool; lawyers review and approve all output. The lawyer remains accountable for legal advice, not the AI. Transparency: the AI explains its reasoning; lawyers understand what the AI is doing and why.

Professional responsibility: if the AI errs, the firm knows immediately because the human lawyer reviews the output. The error is caught before it affects client service. Training and oversight: We provide training materials; you maintain oversight. We're available to explain AI capabilities and limitations to your firm's management and the SRA.

ICO & AI Ethics

The Information Commissioner's Office (ICO) is the UK's independent data protection authority. The ICO is increasingly focused on AI ethics, particularly as AI systems make decisions that affect individuals. We design AI systems with ICO's ethical expectations in mind.

Fairness and bias: AI systems can perpetuate or amplify existing biases. We actively test for bias, monitor for fairness across demographic groups, and adjust systems if unfair patterns emerge. Transparency and explainability: Our systems produce explanations that individuals can understand. If your firm uses AI to make a credit decision, the system explains which factors influenced the decision.

Individual rights: Our systems support data subject rights (access, correction, deletion, objection). Accountability: We maintain detailed records of system development and conduct Data Protection Impact Assessments for high-risk processing.

AI ethics extends beyond regulatory compliance. Algorithms that appear technically correct can produce outcomes that feel unfair. We test for subtle biases and adjust systems to be fair to all groups. This is particularly important in financial services and legal services. Ethically-trained AI systems are better-performing systems: more robust, less vulnerable to regulatory challenge, and trusted by users.

Compliance FAQs

Common Questions

What happens if your UK infrastructure experiences an outage?

Redundancy is built in. AWS eu-west-2 has multiple availability zones; if one data centre fails, your data is automatically served from another. We maintain database replication and automated failover. For critical systems, we recommend multi-region backup (eu-west-2 primary, eu-west-1 secondary) so that even if London-region experiences catastrophic failure, you have failover capability. Our SLA typically commits 99.95% uptime with automatic failover.

Can you prove my data stays in the UK?

Yes. You can audit AWS or Azure directly to verify data location. AWS region specifications document eu-west-2 physical location. Azure region specifications document UK South location. You can also review our infrastructure-as-code configuration (stored in your Git repository) to see exactly how data is stored and where. You can request third-party audits; we support SOC 2 audits that include data residency verification.

What about backups? Where do backups go?

What if a US government agency demands my data?

This is an important question. US government requests for data must go through formal legal channels (mutual legal assistance treaties). When data is stored on US-based cloud platforms, US law applies to some government requests. However, when data is stored in UK regions (AWS eu-west-2, Azure UK South), UK law applies, and UK courts have been protective of data residency rights. The EU-UK trade agreement includes provisions protecting personal data in both directions. Additionally, you maintain control of encryption keys (customer-managed encryption), meaning even cloud providers cannot comply with requests for plaintext data. This is a complex area with ongoing litigation and regulatory evolution. We recommend discussing with your legal counsel and regulators if you have concerns.

Do you support GDPR Data Subject Access Requests?

Yes, absolutely. If an individual requests access to their personal data, we cooperate with your firm to compile that data and provide it to the individual. We maintain records of what data we process for each individual; we can produce those records efficiently. Typical turnaround is 2-3 weeks for compilation and delivery. We don't charge additional fees for data subject requests; it's part of our standard data processor responsibilities.

What about GDPR deletion rights? Can we delete historical data?

Yes. If an individual exercises their right to be forgotten, we delete their data from production systems and backups. We maintain deletion records (we delete, but we don't leave a record of what we deleted, which would be new personal data). For regulatory or legal holds (you must retain data for audit or litigation), we support those holds—data is retained as long as legally required, then deleted. Deletion is permanent; once deleted, data cannot be recovered.

How do you handle data breach notifications?

We maintain incident response procedures. If a breach is detected (unauthorised access, data loss, accidental exposure), we immediately: contain the breach (stop unauthorised access), conduct forensic investigation (understand what happened and what data was affected), and notify you immediately. You then have 72 hours to notify the ICO (GDPR requirement). We provide you with detailed breach assessment within 24 hours so you can make timely disclosure decisions. We also conduct post-incident review to prevent recurrence. Our cyber insurance covers breach costs; we have incident response capabilities available 24/7.

Can we move our data if we change vendors?

Secure Your Sovereign AI

Ensure your enterprise AI deployment is fully compliant with UK data residency laws. Schedule a technical deep dive with our architecture team.

Schedule Compliance Deep Dive Download UK Compliance Whitepaper

Architecture Partnerships Financial Services

Your Data Stays in the UK