Question 1

Does the AI train on our client data?

Accepted Answer

No. Client data is never used to train any AI model. Inference runs via AWS Bedrock (eu-west-2, London) with zero data retention (ZDR): Bedrock does not retain prompts or outputs after the API call completes. Files are processed in memory and discarded. A data processing agreement (DPA) is provided before any client data is processed.

Question 2

Is this SRA compliant?

Accepted Answer

The product is designed to be consistent with the SRA's AI Risk Outlook guidance. Every AI output is a clearly-labelled draft requiring review and explicit sign-off by a named MLRO or COLP (with their SRA reference logged); no AI output is auto-filed; the firm remains the regulated entity and responsible party; and an append-only audit log of all AI outputs and human decisions is maintained. This does not constitute legal advice about a specific firm's obligations.

Question 3

What happens when AML supervision transfers from the SRA to the FCA?

Accepted Answer

The FCA will inherit the files and procedures firms create today. The underlying MLR 2017 obligations remain unchanged — only who supervises changes. The FCA is expected to adopt a more data-driven, forensic inspection approach. Evidence packs are designed to be legible to both the current SRA inspection format and the FCA's anticipated forensic style.

Question 4

Where is client data stored, and can it leave the UK?

Accepted Answer

All data is stored in AWS eu-west-2 (London). No data transits to US or non-UK/EU infrastructure. AI inference runs via Bedrock EU endpoints. ISO 27001 certification is planned before general availability (currently in design phase). Cyber Essentials Plus is being applied for in parallel. The certification timeline is published transparently — no certifications are claimed that are not yet held.

Question 5

Which practice management systems do you integrate with?

Accepted Answer

The product is PMS-agnostic and designed to sit above the existing stack, not replace it. Integration roadmap: Clio, LEAP, Actionstep, and Osprey. Reads from Thirdfort, Amiqus, and ComplyAdvantage for ID verification and sanctions data. Integration does not require replacing the existing PMS.

Question 6

Does the AI file SARs (Suspicious Activity Reports) automatically?

Accepted Answer

No. Filing a SAR is a legal act with serious consequences. The AI can identify indicators that a matter may warrant SAR consideration and draft supporting analysis, but the MLRO must review the analysis, make the decision independently, and file via the NCA's SARS Online portal. The system logs that the consideration occurred and who made the decision — it never acts on it.

Question 7

How do you handle the tipping off prohibition?

Accepted Answer

SAR-consideration workflows are partitioned from fee-earner views. Once a SAR consideration is open, the matter is flagged internally to the MLRO only — fee earners see a general hold instruction without the reason. This is enforced at the access-control layer, not just the UI layer.

Question 8

What is the cost of the service?

Accepted Answer

Currently in pre-launch, conducting paid-intent discovery calls. Intended model: free 30-minute compliance health-check with no commitment, then a one-month free pilot with written success criteria and an end date, then a minimum 6-month subscription. Pricing is per fee-earner per month, calibrated to be a fraction of the cost of a single avoided AML fine. Accessible to firms of any size — not enterprise-gated.

Question 9

Will you sign a data processing agreement (DPA)?

Accepted Answer

Yes. A DPA is required before any client data is processed. The DPA covers: lawful basis for processing, sub-processor chain (AWS, Bedrock), data residency guarantees, retention and deletion schedule, and breach notification obligations. Client data will not be processed without a signed DPA.

Question 10

Is the AI output protected by legal professional privilege?

Accepted Answer

This is a live area of law. AI-assisted outputs directed by a qualified lawyer, used in preparation for legal proceedings, and subject to MLRO review and adoption, may be capable of attracting privilege — but this has not been authoritatively decided. Firms should treat AI compliance outputs as records that assist the fee earner's own work product, not as privileged communications in their own right. This is not legal advice.

Built for firms where client confidentiality is non-negotiable.

Six design decisions that protect client data.

Built for firms where client confidentiality @property --shine-ang { syntax: "<angle>"; inherits: false; initial-value: 0deg; } @keyframes shine-spin { to { --shine-ang: 360deg; } } @media (prefers-reduced-motion: reduce) { [data-shine] { animation: none !important; } } is non-negotiable.

Six design decisions that protect client data.

Built for firms where client confidentiality is non-negotiable.