The evidence behind CompliMind

Measured improvements in time, accuracy, and compliance assurance - validated in NHS settings.

Every claim on this page is traceable to its source. Where evidence comes from controlled experiments, we report sample sizes, effect sizes, and statistical significance. Where data is self-reported, we say so. We do not present pilot outcomes as production-scale results.

Precision Metric

150%

Increase in error detection in policy review

Randomised controlled trial with 33 NHS EFM professionals. Manual review vs. CompliMind-assisted review. Statistically significant (p=0.003).

Platform Accuracy

96%

Accuracy on NHS compliance questions

Independently scored against 250 verified NHS Estates & Facilities Management standards. 2x accuracy vs. generic AI tools.

Operational Impact

400+

Hours/month redirected to forward planning

Somerset NHS Foundation Trust. 60 users, 1,500 regulatory queries per month. Time freed from manual compliance work.

WHAT CHANGES

What changes in practice

Manual Workflow

Finding an HTM requirement

10-20 min

Keyword trawling through PDFs, double-checking citations

Reviewing a policy

10-20 hrs

Manual review, gap analysis, cross-referencing HTMs

Managing group meetings

4-6 hrs

Preparation, minute writing, action log updates

CompliMind AI Pipeline

Instant Search

30 seconds

Source-linked answers with line-level references

AI-Assisted Review

30-60 min

Targeted gap checking with AI-generated suggestions

Meeting Automation

<1 hour

Full meeting cycle: prep, minutes, and action log

The compliance challenge facing NHS estates

Teams are carrying a heavy documentation burden while still being held to exacting safety and governance standards.

THE COMPLIANCE BURDEN

24.5 hrs/week

spent on regulatory searches, policy writing, and reviews. That is 65% of contracted time.

10.9 hrs searching

8.1 hrs writing

5.5 hrs reviewing

CompliMind CRM survey, n=482

STAFF EXPERIENCE

72%

are neutral or dissatisfied with access to compliance information. 41% report stress or overload.

Ease of access to compliance information

36%

28%

Stress / feeling overwhelmed (past month)

41%

28%

31%

Negative

Neutral

Positive

CompliMind CRM survey, n=276

RISK EXPOSURE

£11.4M

HSE fines to NHS Trusts
2015-2024

5,348

Incidents linked to estates or
facilities failure in one year

£20M

Maximum penalty under the
Corporate Manslaughter Act

HSE prosecution database; NHS NRLS; Corporate Manslaughter Act 2007

REAL-WORLD EVIDENCE

What NHS teams are achieving with CompliMind

CompliMind is deployed in NHS Trusts across England and Wales. Here is what practitioners and their organisations report from live, sustained deployments.

University Hospital Southampton NHS FT

How CompliMind uncovered a long-standing contract inconsistency

£48k

Annual contract savings confirmed

8 years

Time the inconsistency had gone undetected

1 review

Required to identify cost recovery

Swansea Bay University Health Board

How CompliMind empowers PFI Handback Teams

6,000+

Asset survey images reviewed

35%

Time savings for the PFI team

£100k+

Potential cost recovery

University Hospital Southampton NHS FT

How CompliMind transformed risk assessment production

280

RAMS produced in under one month

5×

Faster than slow, manual processes

100%

Of required RAMS now up to date

IHEEM

How CompliMind streamlines meeting documentation across technical platforms

40+

Technical platform meetings per year

2 weeks

Time savings directed to other projects

Technical platform members supported

Somerset NHS Foundation Trust

400+ hours/month redirected to forward planning

Registered users

1,500

Regulatory queries per month

400+

Hours/month redirected

VALUE PROJECTION

Quantify Your Efficiency Gains

Use our ROI model based on findings from the Swansea Bay Trust audit to estimate your team's time savings.

💡 DID YOU KNOW?

Teams using CompliMind report an 80% reduction in document processing time within 3 months of implementation.

SELECT TEAM SIZE 40 People

1 100+

ESTIMATED ANNUAL SAVING

£284,500

≈ 4,200 staff hours recovered per year

Get Custom ROI Report

How we handle evidence

All statistics are traceable to source documents. We report sample sizes, effect sizes, and statistical significance. Self-reported data is labelled as such. Pilot outcomes are not presented as production-scale results. Questions about any claim? evidence@complimind.co.uk

THE RISK OF GENERIC AI

Public AI tools are already creating legal and governance exposure

NHS teams are turning to consumer AI tools to cope with compliance workloads. The legal system is catching up faster than most organisations expect - and the consequences are real.

>50%

of employees admit to using AI tools without telling their managers.

Microsoft & LinkedIn, Work Trend Index 2024 →

77%

of employees have pasted sensitive company data directly into generative AI prompts.

LayerX, Enterprise AI Security Report 2025 →

70%

of employees have never received formal training on how to use AI safely or ethically.

Asana/KPMG, State of AI at Work 2024–2025 →

Legal & regulatory risk

Uploading sensitive data into public AI is now a legal liability

In Munir v Secretary of State [2026] UKUT 81 (IAC), the Upper Tribunal ruled that uploading confidential documents into an open-source AI tool such as ChatGPT places that information into the public domain - constituting a breach of client confidentiality and a waiver of legal professional privilege. Courts now distinguish between open-source and closed-source AI, and will hold organisations accountable for how staff use AI with sensitive data. NHS Trusts using uncontrolled public AI tools for compliance work face exposure to confidentiality breaches, privilege waiver, and regulatory sanction. Adopting a purpose-built, closed-source platform is a governance decision, not just a productivity one.

Government evaluation

M365 Copilot Evaluation - Dept for Business and Trade (Oct 2024 - Mar 2025)

A 1,000-licence pilot found no evidence that time savings led to improved productivity. Control group colleagues had not observed productivity improvements. The evaluation highlighted inconsistencies in quality-assuring AI outputs, hallucinations throughout the pilot, and a lack of knowledge regarding capabilities, limitations, and security concerns among non-pilot staff.

36%

Copilot

74%

ChatGPT

96%

CompliMind

Based on independent scoring against verified NHS Estates & Facilities Management standards (n=250).

CompliMind is built for infrastructure compliance.

Sector-specific knowledge base: Always up-to-date with national guidelines and seamlessly integrated with your local document database.
Built-in domain expertise: Built on a deep understanding of Capital, Estates and Facilities, with best-practice templates that align guidance with compliance and assurance workflows.
Built for auditability: Every answer is linked to its regulatory source, providing transparent, version-controlled, and fully auditable information.
Privacy and security: Designed to protect Trust data through enterprise-grade compliance.

RESEARCH

The research behind the platform

Controlled NHS studies and independent benchmarking - conducted with leading academic institutions.

Randomised Controlled Trial

AI-Assisted Policy Review

33 NHS EFM professionals. Manual review vs. CompliMind-assisted review of a policy derived from HTM 07-01. Statistically significant gains in error detection - no increase in false positives.

150% increase in error detection recall (p=0.003)
110% improvement in detection efficiency
2× overall detection quality (F1 score)
r > 0.60 very large effect sizes across all metrics

📄 Download summary (PDF)

Controlled Experiment

Information Retrieval (n=64)

64 NHS EFM staff tested on compliance tasks. Quality scored against verified standards. Triangulated by three independent researchers. Experienced staff benefit most.

35% faster task completion
53% improvement in answer quality
117% quality gain for 30+ years' experience
£3.3-11k annual saving per staff member

Stress / feeling overwhelmed (past month)

Without AI

72%

With CompliMind

31%

Self-reported, n=64. CompliMind cohort vs. control group.

📄 Download CIBSE paper

Independent Benchmark

Platform Accuracy (n=250)

250 verified NHS EFM standards (HTMs, HBNs, HSE). CompliMind vs. generic AI. Closed-source architecture avoids legal privilege risks confirmed by the Upper Tribunal (Munir, 2026).

96% accuracy on compliance questions
2× accuracy vs manual reviews
Closed source - no public domain data risk

📄 View methodology

Publications

Health Estate Journal

AI platform to streamline access to guidance

Read article →

CIBSE Technical Symposium

The rise of the machines: 2025 CIBSE Technical Symposium

Read article →

CIBSE Journal

Making compliance work smarter: AI tools for building regulations

Read article →

Health Estate Journal

AI impact on NHS estates policy and workforce

Read article →

HEFMA Pulse
March 2026

HEFMA Pulse

Mission impossible

Read article →

IFHE Digest
2025

IFHE / DRLC Digest

AI to manage compliant engineering systems

Read article →

ISO
27001

Information Security

ISO
42001

AI Management

ISO
9001

Quality

ISO
14001

Environmental

DTAC

NHS Digital Tech

GDPR

Data Protection

CE+

Conformity

Security & compliance
you can trust

CompliMind is built to meet the most rigorous NHS information governance standards. Everything you need to assess our security posture is here.

All systems operational ISO 27001 & 42001 ISO 9001 & 14001 Cyber Essentials Plus DSP Toolkit ICO Registered

Certifications

Certifications & assurance

Independent certification from accredited bodies covering information security, AI management, and NHS data governance.

🔐

ISO 27001:2022

Information Security Management System - IMS Certified

Active

🤖

ISO 42001:2023

AI Management System - IMS Certified (joint with ISO 27001)

Active

✅

ISO 9001:2015

Quality Management System - IMS Certified

Active

🌿

ISO 14001:2015

Environmental Management System - IMS Certified

Active

🛡️

Cyber Essentials Plus

NCSC-backed - independently tested and certified

Certified

🏥

DSP Toolkit

NHS Data Security & Protection Toolkit - Org: O1K2Q

✓ Compliant

📋

ICO Registration

Registered as a data controller with the ICO

Registered

🔍

Penetration Testing

Web App & AI Security Assessment - Citation Cyber, Nov 2025

✓ Completed

Security

Technical security

Hosted on Microsoft Azure UK, following NHS cloud security standards throughout.

Hosting & Infrastructure

Microsoft Azure UK South and UK West (dual-region resilience)
Web portal and API on Azure App Service - HTTPS only (TLS 1.2+)
Azure Blob Storage for documents - encrypted at rest
PostgreSQL database for user profiles, audit logs, session data
Azure Document Intelligence for content processing
Azure Cognitive Search for indexing and retrieval
99.9% platform availability target - Azure infrastructure SLA

Encryption & Key Management

All data in transit: TLS 1.2+ across all public and inter-service endpoints
All data at rest: AES-256 encryption (Azure-managed keys)
Application secrets in secure config stores with rotation procedures
HTTPS-only session cookies - short-lived, no role information embedded
Backend role enforcement on every request; token revocation on role change

Authentication

Firebase Authentication (EU region) for login and session tokens
Minimum 15-character password policy enforced platform-wide
MFA mandatory for all internal CompliMind staff accounts
Tokens carry no role information - all checks server-side
Immediate token revocation on account suspension or deletion
Accounts provisioned only on Trust instruction

Logging & Monitoring

Centralised logging via Azure Monitor and Log Analytics
Auth events, authorisation decisions, admin actions, data access all logged
Timestamp, actor, and outcome captured for every audit event
High-risk and privileged events reviewed regularly; anomalies investigated
Documented incident response with Trust notification without undue delay
Post-incident review after every significant event

Penetration Test - Citation Cyber, November 2025

Web Application & AI Security Assessment. Ref: COM281025ST. No critical or high severity findings.

Critical

High

Medium

Low

Informational

Categories: Information Disclosure, Authentication, Secure Configuration, Access Control, Cryptographic Issues. AI Assessment: 0 medium, 0 high, 0 critical.

Role-Based Access Control (RBAC)

Every action is authorised at the API layer and logged. The NHS Trust is the data controller and directs all user provisioning and removal.

Role

Intended Holder

Core Capabilities

Manage Users?

User

NHS EFM staff

View/search; create documents; upload permitted files; invite/deactivate guests

Champion

Trust-appointed

All User rights; invite/deactivate Users and Guests within the Trust tenant

Limited

Guest

Invited external / temporary

View-only of explicitly shared items; cannot browse wider tenant data

DB Manager

Trust-appointed

All User rights; manage Trust documents (add, modify, delete)

Backup & Disaster Recovery

Regular automated backups of PostgreSQL and Blob Storage snapshots
Tested restoration procedures in place
Low-hour RPO; same business day RTO for critical data
Resilient dual-region design (UK South + UK West)
Non-clinical - Trusts maintain primary records independently

AI Controls (Vertex AI)

RAG-powered - AI responses always cite source documents
Zero data retention: inference-only, no prompts stored or used for training
Data minimisation: only minimum context included in each AI payload
Processing in EU data centres only (Sweden) - no persistent storage outside UK
AI outputs are advisory only; human verification required

Data Protection

Data protection

CompliMind does not process patient data. Only minimal staff identifiers are handled, in accordance with UK GDPR.

Data Collected

Personal data (staff only): name, email, job title, activity logs
Content: estates policies, regulatory guidance, local procedures
Queries: user search questions and compliance queries
Operational metadata: search indexes, logs, telemetry
No patient data is processed - the platform is non-clinical

Data Residency

Primary storage and processing: Azure UK South / UK West
Authentication (Firebase): EU region - transient only
AI inference (Vertex AI): EU/EEA (Sweden) - zero persistent storage
Analytics (PostHog): EU/EEA - product improvement only
LLM traceability (Langfuse): EU/EEA - continuous improvement
No data permanently stored outside the United Kingdom

Controller / Processor

NHS Trust acts as Data Controller
CompliMind acts as Data Processor
Accounts created, modified, deleted only on Trust instruction
Strict logical tenant isolation - cross-tenant access not possible
Object-level access control enforced at the backend on every request
DPIA completed with multiple NHS organisations; available on request

Retention & Deletion

Data retained for duration of Trust contract or operational need
Secure deletion on Trust instruction - accounts and personal data removed
Erasure following NIST SP 800-88 procedures
Pointers, indexes, and storage securely overwritten by provider lifecycle
On contract end: export available on request + written deletion confirmation

Subprocessors

Microsoft Azure

Hosting, blob storage, cognitive search, PostgreSQL, monitoring

📍 UK (primary)

Google Cloud

Firebase Authentication (session management); Vertex AI - zero data retention

📍 EU/EEA

PostHog

Platform analytics for product development and improvement

📍 EU/EEA

Langfuse

LLM traceability and continuous AI improvement monitoring

📍 EU/EEA

Risk Management

Risk register

Key risks assessed for the CompliMind platform and the controls in place to address them.

Risk	Likelihood	Severity	Mitigation	Owner
Unauthorised access (stolen credentials)	Unlikely	Moderate	Strong password policy, HTTPS-only tokens, backend role enforcement, audit logging	CompliMind
Data leakage / tenant boundary breach	Unlikely	Major	Logical tenant isolation, object-level access control, backend validation, no cross-tenant queries	CompliMind
Misuse of AI outputs (inaccurate summaries)	Possible	Moderate	Advisory-only outputs, zero data retention, traceable citations, user verification required	Trust E&F
Service downtime	Unlikely	Minor	Azure 99.9% SLA, high-availability design, disaster recovery testing	CompliMind
Function creep / unintended data exposure	Unlikely	Moderate	AI does not override user permissions; RBAC enforced on all surfaced data; IG training for staff	Trust IG Lead
Inadequate user deprovisioning	Unlikely	Minor	Champion dashboards for access revocation; backend token invalidation on disablement	Trust Champions
Subprocessor risk (Azure, Google)	Unlikely	Major	ICO registration, DSPT compliance, contractual IG clauses, UK/EU hosting, adequacy safeguards	CompliMind
Insufficient staff awareness	Possible	Minor	IG and acceptable use training at onboarding, tutorial page, escalation pathways	Trust IG / CM
Data transfer outside UK (Sweden, EU)	Unlikely	Moderate	EEA adequacy applies; TLS encryption; no permanent storage; adequacy decisions monitored	CompliMind
Contract termination / decommissioning	Unlikely	Major	Secure deletion per NIST SP 800-88, Azure wipe protocols, written confirmation to Trust	CompliMind

About

About CompliMind

Company structure, NHS deployments, and governance framework.

NHS Deployments & Validation

Piloted at NHS Trusts in Cambridge, Birmingham, Newcastle, Somerset, Southampton, and Liverpool
User feedback confirmed time savings and improved compliance confidence
DPIA completed with multiple NHS organisations - available on request
DTAC assessment submitted with supporting user research documentation
Non-clinical platform - no clinical trials required

Governance Policies

Information security policy - documented and maintained
Privacy and data protection policy - aligned to UK GDPR
Incident response policy - with Trust notification obligations
Acceptable use policy - provided at user onboarding
Staff IG and security awareness training programme
Dual approval required for elevated internal access privileges

User Lifecycle Management

Joiners: Trust submits authorised details; account created; guidance provided
Movers: Role change on Trust request; permissions updated; previous tokens revoked immediately
Leavers: Trust notifies CompliMind or Champion disables; access blocked immediately; deletion scheduled

Have questions about our security posture?

Our team is happy to answer IG and IT security queries, provide additional documentation, or complete a Trust-specific DPIA.

CTO - Technical & IG

Dr. Jan Blümel

jan@complimind.co.uk

+44 1223 756581

CEO - General & Procurement

Carl-Magnus von Behr

carl@complimind.co.uk

+44 7552 877625

Registered Address

Canterbury House

1 Royal Street, London SE1 7LL

Company No. 15467857

The evidence behind CompliMind

What changes in practice

Manual Workflow

CompliMind AI Pipeline

The compliance challenge facing NHS estates

THE COMPLIANCE BURDEN

STAFF EXPERIENCE

RISK EXPOSURE

What NHS teams are achieving with CompliMind

How CompliMind uncovered a long-standing contract inconsistency

How CompliMind empowers PFI Handback Teams

How CompliMind transformed risk assessment production

How CompliMind streamlines meeting documentation across technical platforms

400+ hours/month redirected to forward planning

Quantify Your Efficiency Gains

How we handle evidence

Public AI tools are already creating legal and governance exposure

Uploading sensitive data into public AI is now a legal liability

M365 Copilot Evaluation - Dept for Business and Trade (Oct 2024 - Mar 2025)

CompliMind is built for infrastructure compliance.

The research behind the platform

AI-Assisted Policy Review

Information Retrieval (n=64)

Platform Accuracy (n=250)

Publications

AI platform to streamline access to guidance

The rise of the machines: 2025 CIBSE Technical Symposium

Making compliance work smarter: AI tools for building regulations

AI impact on NHS estates policy and workforce

Mission impossible

AI to manage compliant engineering systems

CompliMind is a secure, certified AI platform

See the evidence in your context

Security & complianceyou can trust

Certifications & assurance

Technical security

Hosting & Infrastructure

Encryption & Key Management

Authentication

Logging & Monitoring

Penetration Test - Citation Cyber, November 2025

Role-Based Access Control (RBAC)

Backup & Disaster Recovery

AI Controls (Vertex AI)

Data protection

Data Collected

Data Residency

Controller / Processor

Retention & Deletion

Subprocessors

Risk register

About CompliMind

Company Information

NHS Deployments & Validation

Governance Policies

User Lifecycle Management

Have questions about our security posture?

Security & compliance
you can trust