







No model training
Your data never trains or improves any AI model. Inference runs on Google Vertex AI in the EU; prompts and outputs are never stored or used for training. Contractually guaranteed under a processor agreement.
No patient data
CompliMind processes no patient-identifiable data at any stage. The platform is GDPR compliant and designed to process minimal information for access control and audit.
No selling or sharing
Trust and engagement data is never sold or shared. Subprocessors act only under data processing agreements, with no independent access.
Traceable
Every answer to a regulation question includes a traceable source, with the page number, exact cited paragraph, and a link back to the original document.
UK-based hosting on Microsoft Azure
All primary storage and processing takes place in the United Kingdom, using UK South and West for resilience. Limited transient processing for authentication and AI inference occurs in the EU or EEA.
Encrypted at rest
AES-256 encryption applied to all stored data.
Encryption in transit
All connections are secured via HTTPS / TLS 1.2+, for both public endpoints and inter-service communication.
Data segregation
Logical separation per Trust, so data stays private across every organisation and engagement.
Penetration testing
Regular independent penetration testing. The most recent assessment returned no critical and no high-severity findings.
Backups & recovery
Regular automated backups of the database and document storage, with tested restoration procedures and a 99.9% platform availability target.
Incident response
A documented and rehearsed incident response process: incidents are triaged, contained, investigated, and reported to the Trust without undue delay, followed by post-incident review.
Monitoring
Centralised logging and alerting, with regular review of privileged actions and high-risk events.
Data retention & deletion
Data is retained for the duration of the Trust’s contract. On instruction, accounts and personal data are securely deleted following NIST SP 800-88–aligned procedures, with export and written confirmation of deletion on contract end.
ISO certificates
ISO 27001 / ISO 42001 and ISO 9001 / ISO 14001 certificates: available on request.
Cyber Essentials Plus certificate
Available on request.
DSP Toolkit evidence
Standards Exceeded evidence available via the external DSP Toolkit reference.
External penetration test summary
Available on request.
DTAC, DPIA, subprocessor list, and DPAs
Available on request, including a full subprocessor list with DPAs and certifications.