Modules For Consultancies For Programme Directors For PMO Teams Platform Security Resources Blog Request a Demo
Security & Data Residency

Your programme data stays in the UK.
Full stop.

Government programme documents are sensitive. We built the platform so they never leave UK jurisdiction — from upload to output, every byte processed and stored on Azure UK South.

Request a Demo
Data Processing Flow
Documents uploaded
TLS 1.3 encrypted in transit
UK endpoint
Processed on Azure UK South
AI inference runs within UK data centres
UK only
Results stored encrypted at rest
AES-256 · Isolated per customer
UK only
Your documents are never used to train AI models
Azure UK South
All storage, processing, and AI inference on UK-sovereign infrastructure
No model training
Your documents are never used to train or fine-tune AI models
Tenant isolation
Your data is logically separated from every other organisation on the platform
ICO registered
Registered data controller under UK GDPR. Cyber Essentials in progress.
How your data flows

UK in. UK out.
Nothing in between.

Every stage of the assessment pipeline — ingestion, storage, AI processing, output generation — runs within Azure UK South data centres. There is no step where your data crosses a border.

We use Azure OpenAI Service, the enterprise version of OpenAI hosted within Microsoft's UK infrastructure. This is the same service used by HMRC and NHS Digital. It is explicitly excluded from OpenAI's model training data.

  • Documents encrypted in transit via TLS 1.3
  • Stored at rest with AES-256 encryption
  • AI inference on Azure OpenAI UK South — no US routing
  • Outputs stored UK-only, deleted on your request
  • Access logs available on request
Data pipeline
You upload documents
SharePoint connection or direct upload — TLS 1.3 in transit
Stored in Azure UK South
AES-256 at rest · Tenant-isolated · UK jurisdiction
Processed by Azure OpenAI UK
UK-hosted model · Zero data egress · No training use
Results returned to you
Outputs stored UK-only · You control deletion
Common questions

What organisations typically ask us

Can we use this for OFFICIAL-SENSITIVE documents?
Azure UK South is accredited to handle OFFICIAL-SENSITIVE data. We're engaged in the governance process to formally confirm this for our specific use case. If you have specific data classification requirements, contact us and we'll work through it with you.
Who can see our programme documents?
Nobody outside your organisation. Documents are tenant-isolated — no Programme Insights staff have access to your content, and no other customer can see your data. Access logs are available on request.
Is this the same OpenAI that trains on user data?
No. We use Azure OpenAI Service — Microsoft's enterprise deployment of the same underlying models, hosted within UK infrastructure. Under Microsoft's enterprise terms, your data is explicitly excluded from model training. This is the same service used by NHS Digital and major UK government departments.
What happens to our documents when we stop using the platform?
You can request full deletion of all your data at any time. Documents, assessment results, chat history — everything. We confirm deletion in writing within 5 working days. We do not retain any copies.
Do you have a Data Processing Agreement?
Yes. A standard DPA is available and covers all commitments described on this page. We're ICO registered and operate under UK GDPR. If your procurement process requires specific DPA clauses, contact us.
What certifications do you hold?
ICO registration is complete. Cyber Essentials certification is in progress and expected to complete in Q2 2026. ISO 27001 is on the roadmap for 2027. If your procurement requires specific certifications, talk to us about timeline.

For Procurement Teams

Working with us before full certification

Cyber Essentials is in progress and ISO 27001 is on the roadmap. We understand that procurement timelines don't always wait for certification milestones. Here's how we support buyers who want to proceed now.

Data Processing Agreement

Full DPA available covering UK GDPR obligations, data retention, sub-processor disclosure, and incident response. Ready to sign.

OFFICIAL-SENSITIVE Handling

Azure UK South infrastructure supports OFFICIAL and OFFICIAL-SENSITIVE classifications. Documents never leave UK jurisdiction. No US data routing.

Security Questionnaire

Happy to complete your organisation's security questionnaire or DPIA. We've documented our architecture, data flows, and access controls for exactly this purpose.

Pilot Under Controlled Scope

Start with a time-limited pilot using non-sensitive documentation to validate the platform's value before committing to a full procurement process.

If your procurement team has specific requirements — classification levels, data handling standards, contractual clauses — talk to us. We'd rather address your questions directly than lose you to a checkbox.

Zero process change required.
95% of enterprise AI pilots fail due to organisational change requirements (Stanford Enterprise AI Playbook, 2026). Programme Insights requires no training programme, no workflow redesign, and no change management budget. Connect your documents, select a framework, run the assessment.

Security questions we haven't answered?

We're happy to discuss your specific requirements — data classification, DPA clauses, procurement questions. Talk to us before you decide.

Get in touch