Compliance & Governance

AI you can put in front of your board, your auditor, and your regulator.

Every AI workflow we build comes with the paperwork to prove it's done properly. UK-hosted by default. DPIA-ready. Aligned to UK GDPR, the DSIT AI Cyber Security Code of Practice, NCSC Guidelines for Secure AI System Development, and the UK's cross-sector AI principles. We've written tender responses. We've answered DPO questions. We've passed procurement gates.

What every client gets

This isn't optional or premium. It's how we work.

  1. 01

    UK GDPR by design.

    Every workflow starts with a data map: what personal data goes in, where it's processed, what's stored, what's retained, and who can see it. We design to minimise — only the data the worker actually needs to do the job.

  2. 02

    A Data Protection Impact Assessment (DPIA).

    For any worker that touches personal data, we produce a DPIA before go-live. You get the document. Your DPO countersigns. Your auditor sees it.

  3. 03

    Data residency in the UK by default.

    Workflows host in UK data centres. Where a specific model or tool requires EU hosting, we name it explicitly and obtain explicit consent before processing. No data leaves the UK or EU without your written approval.

  4. 04

    A named accountable owner.

    SimpleAI assigns a named individual responsible for the integrity of your AI workflow. They're the person your DPO or board calls if there's a question. Same person every time.

  5. 05

    Monthly governance summary.

    Every monthly report includes a governance section: data processed, exceptions flagged, any model behaviour changes, any incidents. If we make a change to how the worker works, you'll see it before it goes live.

The frameworks we align to

We don't claim certification we don't hold. We do design and document against the frameworks the UK regulators expect SMEs and their suppliers to follow.

  • UK GDPR (ICO).

    Article 5 principles, Article 35 DPIAs, Article 22 around automated decision-making. We use the ICO's AI Data Protection Risk Toolkit on every build.

  • DSIT AI Cyber Security Code of Practice.

    The UK government's voluntary baseline for AI system security, covering design, development, deployment, and operation.

  • NCSC Guidelines for Secure AI System Development.

    Joint guidance from the UK and US cyber security agencies on secure-by-design AI.

  • The UK's five cross-sector AI principles.

    Safety, transparency, fairness, accountability, contestability.

  • EU AI Act (extraterritorial scope).

    If your customers or operations touch the EU, the AI Act may apply. We assess this on every build for clients with EU exposure.

  • G-Cloud and public sector procurement standards.

    For clients selling into government, we structure documentation to fit the questions buyers actually ask.

Public sector and tendering

We've supported clients through procurement processes that ask hard questions about AI. The questions are usually some version of:

  • Where is the data processed?
  • Who's accountable if the model behaves unexpectedly?
  • What's the DPIA?
  • What's the fallback if the AI is unavailable?
  • How are bias and fairness tested?
  • Can you produce an audit trail?

We have answers to each of these, ready to drop into a response document. If you're tendering and the AI questions are slowing you down, that's exactly the kind of work we do under a Fractional AI COO retainer or as a one-off support project.

Data residency and data sovereignty

Data residency is where your data physically sits. Data sovereignty is whose laws govern it once it's there.

For most UK SMEs, we recommend UK residency and UK sovereignty as the default. That means UK data centres, UK-incorporated processors where possible, and contracts governed by English law. Where a workflow needs a model or service that doesn't have a UK option (some specialist tools are still EU- or US-hosted), we name it, document it, and only use it with your consent.

For clients in regulated sectors — financial services, healthcare, legal, public sector — sovereignty matters more than residency, because of where extraterritorial laws (e.g. US CLOUD Act) might pull jurisdiction. We design around that.

What we won't do

  • We won't process special category data (health, biometric, criminal records) through a third-party AI tool without an explicit DPIA, a named lawful basis, and your DPO's sign-off.
  • We won't build a workflow that makes solely automated decisions with legal or similarly significant effects on a person — Article 22 territory. We design these as human-in-the-loop by default.
  • We won't tell you everything is fine if it isn't. If a workflow you want carries regulatory risk, we'll say so before we start.

Tendering, audited, or just board-nervous about AI?

We can take you through the documentation we'd produce for a workflow in your business, before you commit to anything.

Book a governance consultation