Compliance & security
Compliance by design, not by patchwork.
Because your AI runs on your infrastructure, Electric Azimuth is not a Data Processor under UK-GDPR. That fundamentally simplifies your compliance obligations — and it is the difference between bolting controls on afterwards and having them built into the architecture.
Structural advantage
The AI runs on your infrastructure, so we are not a Data Processor under UK-GDPR. That single fact removes an entire class of compliance work — no processor agreements, no cross-border transfer risk, no third-party sub-processors to audit.
We only show a certification once it is achieved. Until then it is marked in progress or planned — procurement teams check, and we would rather you trust the label.
Frameworks
How we map to the regimes you answer to.
No third-party data transfers. Your data stays in your jurisdiction and under your control.
Because processing runs on your own infrastructure, Electric Azimuth never receives your data as a third party. For the AI layer that removes the need for processor agreements and international transfer safeguards, and keeps you as the sole controller of the data.
Process patient data on your own servers, with no external API calls and a full audit trail under your governance.
The NHS Data Security and Protection Toolkit (DSPT) is an annual online self-assessment that organisations complete to evidence they meet the National Data Guardian's ten data security standards. Running clinical data on-premise supports that submission and aligns with the Caldicott Principles, which govern the lawful, appropriate handling of confidential patient information under a named Caldicott Guardian.
Operate within classified networks. Transcription and document analysis run fully offline.
Deployments can sit entirely inside accredited, air-gapped networks with no outbound connectivity, supporting the handling rules that apply to material at the relevant security classifications. Specific classification handling is scoped per engagement.
UK government-backed certification. Mandatory for most public sector and government contracts.
Cyber Essentials covers five core technical controls; Cyber Essentials Plus adds an independent, hands-on technical audit that carries more weight with MoD and NHS procurement. Current status is listed in the certification summary above.
The information security management standard for the organisation building your software.
ISO 27001 demonstrates rigorous internal security controls at Electric Azimuth itself — evidence that the supplier is as secure as the deployment. Preferred over SOC 2 across UK and European procurement.
The world's first AI management system standard, published December 2023.
ISO 42001 governs responsible, secure AI development and operation. Pursuing it early signals maturity ahead of most of the UK market.
Secure development lifecycle assurance, used mainly for US-headquartered clients.
US-origin and less critical in the UK once ISO 27001 is in place. We pursue it where a client's own framework requires it.
Need the detail for your procurement team?
We will send a one-page security briefing that maps Electric Azimuth to your specific regulatory obligations.