Security & Data Residency

Your programme data stays in the UK.
Full stop.

Government programme documents are sensitive. We built the platform so they never leave UK jurisdiction — from upload to output, every byte processed and stored on Azure UK South.

Request a Demo
Azure UK South
All storage, processing, and AI inference on UK-sovereign infrastructure
No model training
Your documents are never used to train or fine-tune AI models
Tenant isolation
Your data is logically separated from every other organisation on the platform
ICO registered
Registered data controller under UK GDPR. Cyber Essentials in progress.
How your data flows

UK in. UK out.
Nothing in between.

Every stage of the assessment pipeline — ingestion, storage, AI processing, output generation — runs within Azure UK South data centres. There is no step where your data crosses a border.

We use Azure OpenAI Service, the enterprise version of OpenAI hosted within Microsoft's UK infrastructure. This is the same service used by HMRC and NHS Digital. It is explicitly excluded from OpenAI's model training data.

  • Documents encrypted in transit via TLS 1.3
  • Stored at rest with AES-256 encryption
  • AI inference on Azure OpenAI UK South — no US routing
  • Outputs stored UK-only, deleted on your request
  • Access logs available on request
Data pipeline
You upload documents
SharePoint connection or direct upload — TLS 1.3 in transit
Stored in Azure UK South
AES-256 at rest · Tenant-isolated · UK jurisdiction
Processed by Azure OpenAI UK
UK-hosted model · Zero data egress · No training use
Results returned to you
Outputs stored UK-only · You control deletion
Common questions

What organisations typically ask us

Can we use this for OFFICIAL-SENSITIVE documents?
Azure UK South is accredited to handle OFFICIAL-SENSITIVE data. We're engaged in the governance process to formally confirm this for our specific use case. If you have specific data classification requirements, contact us and we'll work through it with you.
Who can see our programme documents?
Nobody outside your organisation. Documents are tenant-isolated — no Programme Insights staff have access to your content, and no other customer can see your data. Access logs are available on request.
Is this the same OpenAI that trains on user data?
No. We use Azure OpenAI Service — Microsoft's enterprise deployment of the same underlying models, hosted within UK infrastructure. Under Microsoft's enterprise terms, your data is explicitly excluded from model training. This is the same service used by NHS Digital and major UK government departments.
What happens to our documents when we stop using the platform?
You can request full deletion of all your data at any time. Documents, assessment results, chat history — everything. We confirm deletion in writing within 5 working days. We do not retain any copies.
Do you have a Data Processing Agreement?
Yes. A standard DPA is available and covers all commitments described on this page. We're ICO registered and operate under UK GDPR. If your procurement process requires specific DPA clauses, contact us.
What certifications do you hold?
ICO registration is complete. Cyber Essentials certification is in progress and expected to complete in Q2 2026. ISO 27001 is on the roadmap for 2027. If your procurement requires specific certifications, talk to us about timeline.

Security questions we haven't answered?

We're happy to discuss your specific requirements — data classification, DPA clauses, procurement questions. Talk to us before you decide.

Get in touch