Privacy Policy

1. Who we are and how to contact us

Standard Intelligence Ltd is a company registered in England and Wales. We operate the Standard Intelligence platform (the "Platform"), a multi-tenant SaaS application for EU AI Act compliance documentation. For the purposes of UK GDPR and EU GDPR (where applicable), Standard Intelligence Ltd is the data controller for personal data collected through the Platform and this website.

Our Data Protection Officer can be contacted at [email protected]. For general data protection enquiries, please use the same address before escalating to a supervisory authority.

2. What data we collect and why

We collect personal data in the following contexts:

• Account and identity data. When you create a tenant account or are invited by a tenant administrator, we collect your name, work email address, and (optionally) your job title and phone number. This is required to provide the Platform.
• Authentication data. We store hashed passwords, MFA credentials, and session tokens. Where SSO is configured, we receive identity assertions from your identity provider — we do not store your IdP password.
• Platform usage data. We log all actions taken within the Platform for audit purposes (see Section 10). This includes the nature and timestamp of each action, the user and role responsible, and the resource affected.
• AI system documentation content. The primary content you create on the Platform — AISDP questionnaire responses, evidence attachments, risk registers, monitoring data, and approved documents — is stored on your behalf. This content may contain personal data about individuals related to your AI system's development, deployment, or affected populations. You are the data controller for that content; we are the data processor.
• AI Regulatory Navigator conversations. Queries submitted to the Navigator and the platform's responses are stored per tenant for the duration of the session and retained for 90 days for service improvement and accuracy tracking. User input is submitted to the Anthropic EU inference endpoint under a GDPR Article 28 DPA.
• Communications. If you contact us by email or through the contact form, we retain that correspondence.
• Marketing and research. If you subscribe to the Research Library newsletter, we retain your email address for the purpose of newsletter delivery. We do not combine this with your Platform account data without your consent.

3. Legal bases for processing

We process personal data on the following legal bases under UK GDPR Article 6:

• Contract (Article 6(1)(b)). Processing necessary to provide the Platform under your subscription agreement — account management, authentication, usage logging, content storage.
• Legal obligation (Article 6(1)(c)). Processing required to comply with applicable law, including audit log retention aligned to EU AI Act Article 18 requirements.
• Legitimate interests (Article 6(1)(f)). Security monitoring, fraud prevention, platform analytics used to improve the service, and maintaining accurate Navigator accuracy metrics. We balance these interests against your rights in each case.
• Consent (Article 6(1)(a)). Marketing communications and the Research Library newsletter. You may withdraw consent at any time by unsubscribing or contacting our DPO.

4. How we use your data

We use the personal data we collect to: provide, maintain, and improve the Platform; authenticate users and enforce access control; generate audit logs required by the Platform's security architecture and applicable regulation; send service notifications, including approval alerts, deadline reminders, and threshold breaches; respond to support enquiries; and fulfil our legal obligations.

We do not use your data to train AI models. We do not sell your data. We do not use your Platform content for any purpose other than providing the service to your tenant.

5. Data sharing and third parties

We share personal data with the following categories of third parties, all of whom act as data processors under written agreements that include GDPR Article 28 clauses:

• Amazon Web Services (AWS), eu-central-1, Frankfurt. Infrastructure hosting for all Platform services and data storage.
• Anthropic. LLM inference for the AI Regulatory Navigator and Dataset Schema Analysis. Data is submitted exclusively to the Anthropic EU endpoint (api.eu.anthropic.com) under a GDPR Article 28 DPA. No user data is used for model training.
• Transactional email provider. Email delivery for platform notifications and communications. EU-hosted.
• Canvas LMS (open source). Where tenant administrators configure Canvas LMS integration, user enrolment and Gradebook data is exchanged with the Canvas instance. The data controller for that Canvas instance is the tenant.

We may disclose personal data to competent authorities where required by law. We will notify you of such requests where legally permitted to do so.

6. International transfers

All Platform infrastructure runs in AWS eu-central-1 (Frankfurt, Germany). Standard Intelligence Ltd is incorporated in England and Wales; following the UK's adequacy decision for the EEA, personal data flows between the UK and EU member states are treated as adequacy-covered transfers. We do not transfer personal data to third countries outside the UK/EEA except as described above, and only under appropriate safeguards.

7. Data retention

Platform audit logs are retained for 10 years, aligned to EU AI Act Article 18 obligations for high-risk AI system documentation records. AISDP content is retained for the duration of your subscription and for 30 days after contract termination, during which you may export your data. Navigator conversation data is retained for 90 days. Account data is deleted within 30 days of account closure, subject to legal hold requirements. Research Library subscriber data is retained until unsubscribe.

8. Your rights

Under UK GDPR, you have the right to: access the personal data we hold about you; correct inaccurate data; request erasure of your data, subject to legal retention obligations; object to or restrict certain processing; and data portability. Tenant administrators may exercise these rights on behalf of their users through the platform's built-in DSAR and erasure workflow. Individual users may contact [email protected] directly. We respond to rights requests within 30 days.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority if you are based in an EU member state.

9. Cookies and similar technologies

The Platform uses strictly necessary cookies for authentication session management and CSRF protection. No third-party tracking or advertising cookies are placed. This website (the marketing site) uses a first-party analytics cookie to measure aggregate traffic; no data is shared with advertising networks. You may opt out of analytics cookies via the cookie preference centre.

10. Security

All data is encrypted at rest using AES-256 and in transit using TLS 1.3 or higher. The Platform is built in accordance with NCSC Secure by Design principles. Multi-factor authentication is enforced by default. We conduct regular security testing and maintain a public vulnerability disclosure policy. For security reports, contact [email protected].

11. Changes to this policy

We will notify tenant administrators of material changes to this policy by email at least 30 days before they take effect. The current version is always available at this URL. The version date and number at the top of this page reflect the most recent update.