EU AI Act Article 50 — 20 days to seal |
Get passport
DEFONEOS Data Governance
GDPR · DPA 2018 · UK GDPR · Data Minimisation · Sovereign Storage · Subject Rights Automation
Version 1.0 · 5 Jul 2026 · Ed25519: b2e5f8a1c3d7e902 · ICO Registration: ZA##### (pending)
DEFONEOS operates under the principle of sovereign data sovereignty: all personal data stays within UK jurisdiction, processed on UK-based infrastructure, under UK law (DPA 2018 + UK GDPR). No data crosses to foreign infrastructure. No data trains foreign models. Every data action is SIGIL-recorded for audit.
7
GDPR Principles Enforced
8
Subject Rights Automated
90d
Forensic Data Retention Max
1. GDPR Principles → DEFONEOS Implementation
| GDPR Principle | Article | DEFONEOS Implementation | Status |
| Lawfulness, Fairness, Transparency | Art 5(1)(a) | Every data processing action logged to SIGIL chain with purpose. Data subjects can request full processing history. | ENFORCED |
| Purpose Limitation | Art 5(1)(b) | Data collected for defence/public safety purposes may NOT be repurposed. Purpose hash recorded at collection time. | ENFORCED |
| Data Minimisation | Art 5(1)(c) | PII redaction at source. Only operationally necessary data collected. Camera feeds auto-blur faces. Audio feeds anonymise voices. | ENFORCED |
| Accuracy | Art 5(1)(d) | Sensor data timestamped and source-attributed. Confidence scores attached. No data presented without provenance. | ENFORCED |
| Storage Limitation | Art 5(1)(e) | Operational data: 30-day rolling window. Forensic data: 90-day max. SIGIL chain: permanent (hash only, no PII). | ENFORCED |
| Integrity & Confidentiality | Art 5(1)(f) | Ed25519 signatures on all data. Quantum-safe key rotation (ML-DSA-65 by 2027). Air-gapped deployment option. | ENFORCED |
| Accountability | Art 5(2) | 3-layer audit chain (OrgKernel): L1 Identity → L2 Execution → L3 Compliance. Every action cryptographically attributed. | ENFORCED |
2. Data Categories & Handling
| Category | Examples | Legal Basis | Retention | Storage |
| Special Category (Art 9) | Biometrics (face blur only), health (medevac) | Art 9(2)(g) — substantial public interest | 30 days | On-device only, never persisted |
| Operational Sensor Data | Camera feeds, AIS, weather, air quality | Art 6(1)(e) — public task | 30 days rolling | UK sovereign VM |
| Agent Communications | SIGIL entries, BFT votes, council decisions | Art 6(1)(f) — legitimate interest | Permanent (hash only) | SIGIL chain (no PII) |
| System Logs | Access logs, error logs, performance metrics | Art 6(1)(f) — legitimate interest | 90 days | UK sovereign VM |
| User Account Data | Name, email, role, RBAC permissions | Art 6(1)(b) — contract | Account lifetime + 30d | UK sovereign VM (encrypted) |
| Forensic Evidence | Incident artifacts, chain of custody | Art 6(1)(c) — legal obligation | 90 days (unless legally required longer) | Air-gapped storage |
3. Data Subject Rights Automation
| Right | Article | How DEFONEOS Satisfies | Response Time |
| Right of Access | Art 15 | SIGIL explorer API: subject can query all processing actions involving their data (PII-redacted references) | ≤30 days |
| Right to Rectification | Art 16 | Self-service portal: user can correct account data. Operational sensor data is immutable (timestamped). | ≤30 days |
| Right to Erasure | Art 17 | Account data: immediate deletion. SIGIL references: pseudonymised (hash remains, PII removed). | ≤30 days |
| Right to Restrict Processing | Art 18 | User can flag their data as restricted. System marks all related SIGIL entries as restricted. | ≤30 days |
| Right to Data Portability | Art 20 | Export API: user data exported as JSON/CSV with full processing history. | ≤30 days |
| Right to Object | Art 21 | User can object to specific processing. BFT council reviews objection within 30 days. | ≤30 days |
| Right Not to Be Subject to Automated Decision-Making | Art 22 | 5-level human oversight framework. All SEV-1 decisions require human authority. No fully autonomous kinetic decisions. | Immediate |
| Right to Withdraw Consent | Art 7(3) | One-click withdrawal in user portal. Processing stops immediately, data queued for deletion. | Immediate |
4. Sovereign Storage Architecture
📡 Sensor Input
→
🔒 PII Redaction
→
🇬🇧 UK VM Storage
→
⛓️ SIGIL Hash
→
⏰ 30d Expiry
Storage Locations
| Layer | Location | Encryption | Backup |
| Primary VM | UK GCP (meok-backend) | AES-256 at rest | Daily snapshot, UK region |
| Edge Cache | On-device (M2/M3/M4 Mac) | FileVault + AES-256 | Local Time Machine |
| Air Gap | Physical USB (offline) | VeraCrypt container | Manual rotation |
| SIGIL Chain | Distributed (Mac + VM) | Ed25519 signed | Hash-chained (tamper-evident) |
No Foreign Transfer — Ever
DEFONEOS guarantees zero international data transfers. The system is architected so that:
- No data is sent to US cloud providers (AWS, GCP US regions, Azure US)
- No data trains foreign AI models (no data sent to OpenAI, Anthropic, Google AI, etc.)
- No data crosses UK borders (all processing on UK sovereign infrastructure)
- If international transfer is operationally required (e.g., AUKUS data sharing): explicit BFT 23/33 vote + human authority + data minimisation + transfer impact assessment
5. Data Protection Impact Assessment (DPIA) — Summary
| DPIA Element | DEFONEOS Response |
| System Description | Sovereign AI OS for defence/public safety. 30 MCP servers, 33-agent BFT council, SIGIL audit chain. |
| Necessity & Proportionality | Data minimisation at source. PII redaction before storage. Only operationally necessary data collected. 30-day retention. |
| Risks to Rights & Freedoms | Mass surveillance risk → mitigated by 7 red lines. Discrimination risk → mitigated by BFT council diversity. Data breach risk → mitigated by Ed25519 + quantum-safe rotation. |
| Risk Mitigation Measures | PII redaction, SIGIL audit chain, BFT governance, red-line enforcement, human oversight, sovereign storage, 90-day forensic cap. |
| DPO Sign-off | PENDING — DPIA drafted, requires DPO review before live deployment. |
6. UK GDPR + DPA 2018 Specifics
| DPA 2018 Provision | DEFONEOS Implementation |
| Part 2, Ch 2 — General Processing | All standard GDPR principles applied as above. |
| Part 2, Ch 3 — Law Enforcement Processing | If used for law enforcement: separate controller agreement, additional safeguards, crime-specific retention schedule. |
| Schedule 1 — Substantial Public Interest Conditions | Defence and national security fall under Schedule 1(2). Appropriate policy document required — DEFONEOS Charter serves this role. |
| s170 — Unlawful Obtaining of Personal Data | SIGIL chain + DORADO foreign access detector prevent and log all unauthorised data access attempts. |
| National Security Exemption (s26) | DEFONEOS documents which exemptions are claimed and why — never blanket-applied. SIGIL chain records the claim. |
7. Automated Compliance Pipeline
┌──────────────────────────────────────────────────────────┐
│ DATA GOVERNANCE PIPELINE │
├──────────────────────────────────────────────────────────┤
│ │
│ INPUT REDACT STORE AUDIT │
│ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ │
│ │Data │──────▶│PII │───────▶│UK VM│──────▶│SIGIL│ │
│ │In │ │Blur │ │Encr │ │Chain│ │
│ └─────┘ └─────┘ └─────┘ └─────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ No faces AES-256 Ed25519 │
│ No voices FileVault Hash-chain │
│ No plates Air-gap opt BTC anchor │
│ │
│ EXPIRE: 30 days operational | 90 days forensic │
│ EXPORT: Art 20 JSON/CSV | Art 15 SIGIL query │
│ DELETE: Art 17 immediate | Art 17(3) hash remains │
│ │
└──────────────────────────────────────────────────────────┘
8. Breach Notification Protocol
| Step | Action | Timeline | Responsible |
| 1 | Breach detected by Gods-Eye scanner or DORADO | T+0 | Autonomous |
| 2 | SEV-1 classification, BFT council emergency session | T+30s | BFT 23/33 |
| 3 | Containment (see Incident Response Playbook) | T+2min | BFT + System |
| 4 | Breach assessment: scope, data types, affected subjects | T+1h | DPO (human) |
| 5 | If risk to rights & freedoms: notify ICO | ≤72h | DPO + Nick |
| 6 | If high risk: notify affected data subjects | ≤72h | DPO + Nick |
| 7 | Breach record created on SIGIL chain | ≤72h | Autonomous |
| 8 | Post-breach review and hardening | ≤7 days | BFT + DPO |
9. Controller / Processor Roles
| Entity | Role | Responsibilities |
| CSOAI Ltd (UK 16939677) | Data Controller | Determines purposes and means of processing. Maintains DPIA. ICO point of contact. |
| MEOK AI Labs | Processor (internal) | Builds and maintains DEFONEOS infrastructure. Acts on controller instructions. |
| End User Organisation (e.g., MOD) | Joint Controller | Determines operational use. Subject to their own DPIA. |
| UK GCP Infrastructure | Sub-processor | Provides compute. Data Processing Agreement (DPA) in place. UK region only. |
📋 Honesty Register
- ICO Registration: CSOAI Ltd registration as data controller pending Nick's completion. Framework is designed; legal registration is a human gate.
- DPO appointment: CSOAI Ltd has not formally appointed a DPO. Under UK GDPR, a DPO is required for large-scale special category processing. This is a human gate.
- "No foreign transfer": This is a design principle enforced architecturally. If deployed in an AUKUS context with allied data sharing, an explicit Article 49 transfer mechanism would be required.
- PII redaction: Camera face-blur and voice anonymisation are implemented as MCP tools. Effectiveness depends on correct deployment configuration.
- BTC anchoring: Planned for SIGIL chain. Currently internally verified only. The design accommodates BTC OP_RETURN anchoring when integrated.
- Subject rights automation: The API endpoints are designed. Full self-service portal UI is planned but not yet built.
10. Compliance Crosswalk
| Framework | Article/Control | DEFONEOS Coverage |
| UK GDPR | Arts 5-22 | Full — all 7 principles + 8 rights implemented |
| DPA 2018 | Parts 2-4 + Schedule 1 | Framework documented. Schedule 1 policy = DEFONEOS Charter |
| EU AI Act | Art 10 — Data Governance | Training data governance, bias mitigation, provenance tracking |
| EU AI Act | Art 14 — Human Oversight | 5-level oversight framework, Art 22 automated decision rights |
| JSP 440 | Defence InfoSec | UK MOD data handling compatible. SIGIL chain provides audit trail. |
| NIS Regulations 2018 | Security of Network & Info Systems | Incident notification pipeline. Operators of Essential Services compatible. |
| Cyber Essentials | 5 Technical Controls | Firewall, secure config, access control, malware protection, patch management |
| ISO 27001 | Annex A.8 — Asset Management | Data classification, handling, retention schedule |