Defence and public-service AI deployments process data that is subject to overlapping legal regimes: UK GDPR (personal data), the Official Secrets Act (classified information), the Data Protection Act 2018 (law-enforcement data), and — for MOD data — JSP 440 (MOD security policy) and JSP 936 (AI assurance). When this data is held by a third-party AI provider, the chain of custody becomes the single most important trust question the buyer asks.
The DEFONEOS Sovereign Data Escrow Protocol answers that question before it is asked. It defines, cryptographically, exactly: who can access the data, under what authority, for what purpose, with what audit trail, and with what destruction guarantee. The answer is always: UK jurisdiction only, Ed25519-signed, BFT-council-witnessed, and cryptographically destructible.
| Layer | Name | What it protects | Cryptographic mechanism |
|---|---|---|---|
| L0 | Physical Residency | Data never leaves UK soil. No US-headquartered provider in the chain. | Provider attestation + network ACLs enforcing eu-west-2 / on-prem only |
| L1 | Encryption at Rest | If physical media is seized, data is unreadable without the key. | AES-256-GCM with per-deposit data-encryption-keys (DEKs) wrapped by customer-managed keys (CMKs) in AWS KMS eu-west-2 or on-prem HSM |
| L2 | Encryption in Transit | Data cannot be intercepted between components. | TLS 1.3 with certificate pinning and forward secrecy (no RSA key exchange) |
| L3 | Identity & Access | Only named, cleared individuals can request data access. | Ed25519 key pairs per human + per service account. SC clearance verified before key issuance. Keys held in hardware (YubiKey / HSM). |
| L4 | Escrow Receipt | Every deposit, access, and release is cryptographically signed and timestamped. | Ed25519-signed receipt with RFC 3161 trusted timestamp. Receipts chain to form an append-only custody log. |
| L5 | Release Authorisation | No single person can release data. 4-eyes minimum. | Cryptographic challenge-response: Requestor signs a release challenge, Co-authorisor countersigns. Both signatures verified before data is unsealed. |
| L6 | BFT Council Witness | Emergency override / veto: the 33-agent council can block any release. | Release request broadcast to BFT council. If ≥17/33 reject within 4h, release is blocked and escalation triggered. |
Every custody event (deposit, access, release, destruction) generates an Ed25519-signed receipt. Receipts are RFC 3161 timestamped and chain to the previous receipt, forming an append-only custody log that is independently verifiable.
{
"receipt_id": "esc-2026-07-14-a3f7c2e9",
"event_type": "DEPOSIT",
"timestamp": "2026-07-14T17:30:00Z",
"timestamp_authority": "RFC3161://tsa.csoai.org",
"depositor": {
"name": "Lt Col [REDACTED]",
"clearance": "SC",
"ed25519_pubkey": "sha256:7a3f...c2e9"
},
"dataset": {
"classification": "OFFICIAL-SENSITIVE",
"record_count": 847291,
"data_hash": "blake3:9f2a8c...e7b3",
"encryption": "AES-256-GCM",
"key_id": "kms-uk-eu-west-2/cmk-defoneos-brigade-cop"
},
"residency": {
"region": "aws-eu-west-2",
"country": "GB",
"provider_jurisdiction": "UK-only",
"cloud_act_exposure": false
},
"purpose": "Sovereign COP — HQ Field Army pilot",
"retention": {
"policy": "Pilot: 18 months from deposit",
"auto_destruct_date": "2028-01-14T17:30:00Z"
},
"prev_receipt_hash": "sha256:3b8c1f...a9d2",
"signature": "ed25519:f3a7e2b9...c8d1"
}
Data can only be released from escrow under one of these 6 named conditions. Any release must pass 4-eyes authorisation + BFT council witness:
| # | Condition | Authorisation Required | BFT Council Role | Audit |
|---|---|---|---|---|
| 1 | Authorised Query — Named user queries the dataset for an approved purpose (e.g. COP refresh) | Requestor (4-eyes) + purpose-tag | Passive witness (logged, not blocking) | Ed25519-signed query log + data_hash of response set |
| 2 | Pilot Milestone — Data accessed as part of an approved pilot milestone review | Pilot PI + DEFONEOS PM (4-eyes) | 1 BFT General must witness + sign | Milestone report + receipt chain |
| 3 | Compliance Audit — Regulator or accredited auditor requests access (NCSC, ICO, UK AISI) | Auditor credential + DEFONEOS compliance lead (4-eyes) | 3 BFT Generals must approve | Audit scope + time-boxed access token (auto-expires 4h) |
| 4 | Court Order (UK) — UK court issues a lawful production order | Legal counsel + DEFONEOS CEO (4-eyes) + production order verified | BFT council informed; cannot block lawful UK court order but can require scope limitation | Production order reference + scope log + legal opinion |
| 5 | Retention Expiry — Auto-destruction at retention policy expiry | Automated (no human required) | BFT council witnesses the destruction proof | Cryptographic erasure log + Ed25519 destruction receipt |
| 6 | Emergency Override — BFT-council-directed release in response to a critical operational need (e.g. life-safety) | 23/33 BFT Generals must vote approve + DEFONEOS CEO countersign | Active: BFT council IS the authorisation | Full BFT vote record + 23 signatures + CEO countersignature |
The core sovereign guarantee: zero US CLOUD Act exposure.
| Vector | Standard cloud (US provider) | DEFONEOS Sovereign Escrow |
|---|---|---|
| US CLOUD Act (2018) | US government can compel US-headquartered providers (AWS, Azure, GCP) to produce data held in any jurisdiction, including UK, regardless of UK law. | Not applicable. No US-headquartered provider in the custody chain. Data is on AWS eu-west-2 BUT the CMK is held in a UK HSM, meaning even a CLOUD Act order to AWS cannot produce the plaintext. |
| US FISA / Section 702 | US intelligence can access data from US providers without a court order. | Not applicable. Same reason — no US provider holds the decryption key. |
| UK IPA 2016 (Investigatory Powers Act) | UK government can issue bulk interception and equipment interference warrants. | Compliant. DEFONEOS operates under UK law. UK government access follows UK legal process (court order, IPA warrant). This is the correct jurisdiction for UK sovereign data. |
| US-UK Data Access Agreement (2022) | Allows cross-border data requests between US and UK for serious crime. | Not applicable to escrow custody. The DAA covers communications providers (CSPs), not data-at-rest escrow. DEFONEOS is not a CSP. If a DAA request were made, it would follow condition #4 (Court Order). |
| Fifth-Eye data sharing | If data touches Five Eyes infrastructure, it may be shared under Five Eyes intelligence-sharing agreements. | Zero exposure. No Five Eyes infrastructure in the custody chain. The BFT council veto (L6) specifically guards against informal intelligence-sharing requests that bypass formal legal process. |
When data reaches retention expiry or is deliberately destroyed, the protocol produces a cryptographic destruction proof that is independently verifiable:
{
"destruction_receipt_id": "dest-2026-07-14-b7e3f1a8",
"dataset_hash_destroyed": "blake3:9f2a8c...e7b3",
"method": "CRYPTOGRAPHIC_ERASURE",
"description": "AES-256-GCM DEK securely destroyed in AWS KMS eu-west-2. Ciphertext remains but is permanently unreadable.",
"destruction_timestamp": "2026-07-14T17:30:00Z",
"destruction_authorised_by": {
"human_1": "ed25519:7a3f...c2e9",
"human_2": "ed25519:b2e9...f3a7"
},
"bft_witness_quorum": {
"generals_witnessing": 28,
"generals_required": 23,
"witness_signatures": ["ed25519:gen1...sig", "ed25519:gen2...sig", "..."]
},
"verification": "Any party can verify: (1) the dataset_hash matches a previously deposited receipt, (2) the DEK no longer exists in KMS, (3) the BFT witness quorum is met. The destruction is then provably irreversible."
}
The BFT council provides an independent safety mechanism: any release of escrowed data is broadcast to all 33 General agents. If ≥17 Generals (a simple majority of quorum) vote to veto within 4 hours, the release is blocked and an escalation is triggered to the DEFONEOS CEO and the buyer's data protection officer.
The veto is designed for edge cases where the 4-eyes authorisation is technically correct but operationally unwise — for example, a request that appears authorised but is anomalous in pattern (unusual time, unusual scope, unusual requestor combination). The BFT council acts as a cryptographic tripwire that cannot be bypassed, because the escrow system requires the council's passive non-objection (no veto within 4h) before unsealing data.
| Regime | Clause | How DEFONEOS Escrow Complies |
|---|---|---|
| UK GDPR | Art 28 (Data Processing Agreement) | 7/7 DPA terms met: defined purpose, confidentiality, security measures, sub-processor restrictions (none without controller consent), data return/deletion at end, audit rights, written record |
| UK GDPR | Art 32 (Security of Processing) | AES-256-GCM at rest, TLS 1.3 in transit, Ed25519 access control, regular testing via adversarial red-team framework |
| UK GDPR | Art 5(1)(f) (Integrity & Confidentiality) | 4-eyes release + BFT council veto + append-only custody log |
| DPA 2018 | Schedule 1 (Law enforcement processing) | Condition #4 (Court Order) + Condition #6 (Emergency Override) provide the lawful basis chain |
| Official Secrets Act 1989 | Section 7 (Disclosure of protected information) | Only UK-cleared individuals (SC minimum) can hold escrow keys. No disclosure outside UK jurisdiction without lawful authority. |
| JSP 440 | Security policy for MOD information | L0 physical residency (UK-only) + L3 identity (SC-cleared key holders) + L4 escrow receipts satisfy JSP 440 marking, handling, and transmission requirements |
| JSP 936 | AI assurance for defence | BFT council governance (L6) provides the independent assurance mechanism JSP 936 requires for high-risk AI deployments |
| EU AI Act | Art 15 (Accuracy, robustness, cybersecurity) | Escrow protocol protects training data integrity, preventing poisoning attacks that degrade model robustness |
| NCSC CAF | C4 (Protecting against cyber attack) | Encryption + access control + monitoring align with CAF Objective C4 |
| ISO 27001 | Annex A.8 (Asset management) + A.10 (Cryptography) | Asset inventory via custody log + cryptographic key management via HSM/KMS |