DSPT v8 self-assessment. Draft.

Requirement Personal confidential data is managed against a defined retention schedule with documented justification per data class.

Our control Five-class retention schedule published on /sovereignty#retention. Raw frames 30s; embeddings 14d; events 30d; audit logs 12mo; backups 7d.

Evidence /sovereignty#retention

Requirement Lawful basis for processing is documented and a balancing test held on file where Art 6(1)(f) is relied on.

Our control UK GDPR Art 6(1)(f) legitimate interests. Balancing test on file, shared with customer DPO under NDA before order signature.

Evidence /sovereignty#lawful-basis

Requirement Subject rights — access, rectification, erasure — can be exercised within statutory timeframes.

Our control DSAR process documented; customer routes the request to us within 7 days; we resolve against embedding store + event log within 14 days, leaving 9-day customer buffer for the full 30-day window.

Evidence (placeholder — DSAR runbook in evidence vault)

Gap DSAR runbook needs to be moved from the founder's notes into a versioned doc in the evidence vault before the first paid pilot.

Requirement Sub-processors are documented, named and bound by a DPA that flows through customer obligations.

Our control Four named sub-processors on /sovereignty#sub-processors. DPAs in place with each. UK or EU jurisdictions only.

Evidence /sovereignty#sub-processors

Requirement All staff with access to personal confidential data complete annual data-security training and sign an attestation.

Our control Quarterly DSPT v8 awareness module plus annual attestation. Records held in the customer's audit pack.

Evidence (placeholder — training-records repo in evidence vault)

Gap Headcount is one. Training and attestation will be operationalised when headcount is greater than one; until then the single-founder attestation is on file.

Requirement Senior responsibility — a named officer is accountable for data security.

Our control Single-founder operation today; the founder is the named officer. On second hire the role transfers to a named SIRO with the founder as fallback.

Evidence (placeholder — SIRO record in evidence vault)

Gap Bus-factor of one is a real residual risk; the customer's auditor should expect this on a sub-£1M ARR vendor and weigh it.

Requirement Staff receive role-specific training in handling personal confidential data, with refresher cadence at least annual.

Our control Founder attestation today; quarterly module + annual refresher when headcount is greater than one.

Evidence (placeholder — training-records repo)

Gap Same as 2.1.1 — the training infrastructure exists; the headcount it applies to is one.

Requirement Access to personal confidential data is restricted to the minimum staff required; access is logged and reviewed.

Our control Role-scoped access: operators see only their assigned cameras; reviewers see only flagged events in their window; admins see audit logs. Nobody sees raw embeddings. All access logged.

Evidence /security#dspt

Requirement Authentication is at least multi-factor for any account with access to personal confidential data.

Our control MFA enforced site-wide via the auth layer (TOTP plus WebAuthn). No password-only access path exists.

Evidence (placeholder — auth-config doc in evidence vault)

Requirement Annual review of all data-processing activities with documented findings and remediation.

Our control First annual review completes at the end of the first paid pilot. Until then, every pilot order is reviewed end-to-end against this self-assessment.

Evidence (placeholder — review-log in evidence vault)

Gap No paid pilots yet; the first annual review is therefore scheduled after the first pilot completes.

Requirement Incident response procedure that meets the ICO 72-hour breach window with documented escalation.

Our control Customer notified within 24 hours; ICO notification drafted by us, filed by the customer; 72-hour window met by default.

Evidence /security#dspt

Requirement Lessons learned are captured after every reportable incident and feed back into controls.

Our control Post-incident review template ready; no incidents to date so the review log is empty by design.

Evidence (placeholder — incident-review repo)

Gap Not applicable until first incident. Template is ready.

Requirement Business continuity plan tested annually for the loss of key services.

Our control Edge node failure → camera continues local recording per the customer's own NVR. Embedding store failure → 7-day backup in same UK region; restore tested quarterly. UK region failure → documented degraded-mode (no ReID, but no data loss).

Evidence (placeholder — BCP test log)

Gap Restore drill is documented; first live drill will run before the first paid pilot.

Requirement All systems holding personal confidential data are within the vendor's support lifecycle.

Our control Vercel, Neon, Cloudflare, Sentry — all currently supported. Astro and Node 22 LTS for the marketing surface. No vendored legacy components in the data path.

Evidence package.json and dependency manifest

Requirement Anti-malware, patching and vulnerability management are continuous and documented.

Our control Hosted on managed PaaS; OS-layer patching is the responsibility of each sub-processor and contractually bound. Application dependencies tracked via Dependabot and Renovate; CVE severity above 6 patched within 7 days.

Evidence (placeholder — vulnerability-management log)

Requirement Encryption at rest and in transit for all personal confidential data.

Our control AES-256-GCM at rest in Neon; TLS 1.3 in transit; no plaintext anywhere in the data path. Embedding-store backup snapshots also encrypted at rest.

Evidence /sovereignty#topology

Requirement Supplier (sub-processor) compliance is reviewed at contract and at renewal.

Our control Sub-processor list at /sovereignty#sub-processors. Each has a DPA in place with us. Annual review at contract anniversary; renewals are not auto-pushed without review.

Evidence /sovereignty#sub-processors