Data sovereignty protocols
Personal data is processed in the region agreed with you — UK or EU data residency by default for UK/EU clients — using region-pinned cloud services inside isolated landing zones.
We operate under UK law and build for clients across the UK and EU. Regulatory requirements — UK GDPR, EU GDPR and the EU AI Act — shape our architectures from day zero, because retrofitting compliance is the most expensive way to achieve it.
Personal data is processed in the region agreed with you — UK or EU data residency by default for UK/EU clients — using region-pinned cloud services inside isolated landing zones.
Where a transfer outside the UK/EEA is unavoidable, it is covered by recognised mechanisms — UK IDTA or Addendum, EU Standard Contractual Clauses — with transfer risk assessed and documented first.
We act as processor under a written data processing agreement, on your documented instructions, with purpose limitation and records of processing maintained for every engagement.
Our architectures are built so access, rectification, erasure and portability requests can actually be fulfilled — data is locatable, attributable and deletable — and we support your DSAR responses within statutory timelines.
High-risk processing triggers a data protection impact assessment before build. Minimisation, pseudonymisation and retention limits are design inputs, not review findings.
A documented process commits us to notifying affected clients without undue delay on becoming aware of a personal data breach, with the facts needed for your own regulatory obligations.
Every AI/ML workload we deliver is governed through a documented lifecycle aligned with the EU AI Act's risk-based approach. The same framework powers our Evaluation & Testing service for systems built elsewhere.
Each use case is classified against the AI Act's categories before design. Prohibited practices are declined outright; high-risk contexts get proportionate controls and human oversight.
Model choices, system prompts, data sources and known limitations are documented per system — so users know they are interacting with AI, and auditors can see how it behaves.
We track what data trained, grounded or configured each system, version by version — provenance you can produce when a regulator, customer or court asks.
Consequential decisions route through approval gates. Autonomy is bounded, reversible and logged; a human can always intervene, override or switch off.
Evaluation harnesses, drift detection and red-teaming run through the system's life — because AI risk changes with every model update, not just at launch.
We decline work involving covert surveillance, social scoring, manipulation of vulnerable groups or discrimination — whatever the contract value.
This page describes the operating framework of Genius AI Solutions Ltd and is provided for information. It is not legal advice, and it does not amend any contract. Engagement-specific terms — including data processing agreements — are agreed in writing before work begins.
Then put them on the call with ours. We'd rather answer the hard questions before the contract than after an incident.