Trust — Regulatory Compliance

Compliance as an input, not an afterthought.

We operate under UK law and build for clients across the UK and EU. Regulatory requirements — UK GDPR, EU GDPR and the EU AI Act — shape our architectures from day zero, because retrofitting compliance is the most expensive way to achieve it.

UK & EU GDPR

Data protection, engineered in.

01

Data sovereignty protocols

Personal data is processed in the region agreed with you — UK or EU data residency by default for UK/EU clients — using region-pinned cloud services inside isolated landing zones.

02

Cross-border safeguards

Where a transfer outside the UK/EEA is unavoidable, it is covered by recognised mechanisms — UK IDTA or Addendum, EU Standard Contractual Clauses — with transfer risk assessed and documented first.

03

Lawful basis & DPAs

We act as processor under a written data processing agreement, on your documented instructions, with purpose limitation and records of processing maintained for every engagement.

04

Data subject rights

Our architectures are built so access, rectification, erasure and portability requests can actually be fulfilled — data is locatable, attributable and deletable — and we support your DSAR responses within statutory timelines.

05

Privacy by design & DPIAs

High-risk processing triggers a data protection impact assessment before build. Minimisation, pseudonymisation and retention limits are design inputs, not review findings.

06

Breach notification

A documented process commits us to notifying affected clients without undue delay on becoming aware of a personal data breach, with the facts needed for your own regulatory obligations.

EU AI Act & AI governance

Governing the systems we build — and the ones you already run.

Every AI/ML workload we deliver is governed through a documented lifecycle aligned with the EU AI Act's risk-based approach. The same framework powers our Evaluation & Testing service for systems built elsewhere.

01

Risk classification first

Each use case is classified against the AI Act's categories before design. Prohibited practices are declined outright; high-risk contexts get proportionate controls and human oversight.

02

Transparency & documentation

Model choices, system prompts, data sources and known limitations are documented per system — so users know they are interacting with AI, and auditors can see how it behaves.

03

Data lineage tracking

We track what data trained, grounded or configured each system, version by version — provenance you can produce when a regulator, customer or court asks.

04

Human oversight by design

Consequential decisions route through approval gates. Autonomy is bounded, reversible and logged; a human can always intervene, override or switch off.

05

Continuous risk mitigation

Evaluation harnesses, drift detection and red-teaming run through the system's life — because AI risk changes with every model update, not just at launch.

06

Ethical usage boundaries

We decline work involving covert surveillance, social scoring, manipulation of vulnerable groups or discrimination — whatever the contract value.

Risk assessment before every build
Records of processing maintained
Model & data documentation per release
Audit-ready logs & lineage

This page describes the operating framework of Genius AI Solutions Ltd and is provided for information. It is not legal advice, and it does not amend any contract. Engagement-specific terms — including data processing agreements — are agreed in writing before work begins.

Show this page to your compliance team.

Then put them on the call with ours. We'd rather answer the hard questions before the contract than after an incident.