Why "UK Sovereign" Matters
DEFONEOS handles Crown-sensitive data: defence operational planning, emergency-services command, citizen-services records. Under the UK Data Protection Act 2018, the National Security Act 2023, and the AI Bill (Kings Speech 2025), this data has non-negotiable residence and processing requirements. AWS US-East or Azure EU are not adequate. DEFONEOS deploys to UK-sovereign clouds only β UK data centres, UK-operated, UK-jurisdiction.
UK-sovereign cloud regions (no foreign fallback)
UK statutory frameworks fully mapped
Mandatory compliance gates before prod
Foreign data transfers (zero β verified by audit chain)
Legal Entity Stack
| Entity | Role | Status |
|---|---|---|
| CSOAI Ltd (UK Co. 16939677) | Prime supplier, holds DSP registration, Cyber Essentials, SC sponsor | Active since 2024 |
| CSOAI-ORG (UK charity in formation) | Sovereign open-source custodian, holds sovereign IP | Registered 2026, charity application Q4 2026 |
| defoneos-build (trading name) | Defence AI build division | Active 2026 |
| defoneos-certify (trading name) | 33-agent BFT certification division | Active 2026 |
| MEOK Labs (trading name) | Civilian & commercial AI build division | Active 2026 |
Statutory Compliance Map (12 Frameworks)
| Framework | Scope | DEFONEOS Status | Owner |
|---|---|---|---|
| UK GDPR + DPA 2018 | Personal data | β Compliant by design (PIA completed) | DPO (CSOAI) |
| Data (Use and Access) Act 2025 | Smart data schemes | β Aligned, no smart-data DUK yet | DPO |
| AI (Regulation) Bill 2025 | General-purpose AI | β Pre-emptively compliant (5 risk tiers) | AI Risk Officer |
| National Security Act 2023 | Espionage, sabotage | β Data residency verified, SIGIL audit chain | CISO |
| Computer Misuse Act 1990 | Offensive tooling | β No offensive tools shipped | Legal |
| Investigatory Powers Act 2016 | Interception | β No interception capability | Legal |
| Export Control Order 2008 | Dual-use AI | β OGEL Γ 2 cleared (military + dual-use) | Trade Compliance |
| JSP 936 (MOD AI policy) | Defence AI assurance | β Aligned, 5-stage pipeline | Defence Compliance |
| JSP 440 (MOD security) | Defence security | β Aligned, in JSP 936 generator | Defence Security |
| JSP 604 (MOD cyber) | Defence cyber | β Cyber Essentials Plus + SC staffed | CISO |
| ISO/IEC 42001 (AI mgmt) | International AI | β Stage 1 audit Q4 2026, Stage 2 Q1 2027 | Quality |
| SOC 2 Type II | Trust services | β Auditor engaged, Type I Q3 2026 | CISO |
Prerequisites β What You Need Before You Start
Before deploying DEFONEOS into a UK public-sector or defence environment, you must have these prerequisites in place. The order matters.
1. Legal Entity
- UK Limited Company registered at Companies House (you have CSOAI Ltd, 16939677)
- Registered office in UK (not just a virtual address β DSP will check)
- UK bank account (Monzo, Starling, or HSBC business β required for BACS receipts)
- ICO registration as data controller (Β£40/year, online)
- UTR + Corporation Tax registered with HMRC
- DPA 2018 compliant privacy notice (template in defoneos-privacy.html)
2. Defence Sourcing Portal Registration
Free, online, takes 30 minutes. Suppliers' Defence Sourcing Portal (DSP) is the gateway to all MOD opportunities below the Procurement Act 2023 thresholds.
# Registration URL: https://www.gov.uk/government/publications/register-as-a-mod-supplier
# Required:
- UK Ltd company number
- Companies House registered address
- VAT number (if VAT-registered)
- SIC codes: 62012 (software dev), 62020 (IT consultancy), 84220 (defence)
- UK bank account
- Named UK representative (signatory)
- Modern Slavery Statement
- Tax compliance: HMRC online β "Check tax position" PDF
# After registration:
- DSP supplier ID assigned (e.g. SUP-2024-XXXXX)
- Listed in MOD supplier search
- Eligible for opportunities <Β£10M
3. Cyber Essentials Plus (CE+)
Mandatory for any supplier handling MOD data at OFFICIAL or above. The "Plus" tier requires hands-on technical audit by an IASME-accredited assessor.
| Item | Cost | Duration | Where to get it |
|---|---|---|---|
| Cyber Essentials (self-assessed) | Β£320 + VAT | 2-4 weeks | IASME consortium (iasme.co.uk) |
| Cyber Essentials Plus (audited) | Β£600-1,500 + VAT | 4-6 weeks | IASME-accredited assessor |
| IASME Cyber Assurance (gold) | Β£600 + VAT | 4-6 weeks | IASME |
What CE+ requires technically: secure internet connection, secure devices, access control, malware protection, patch management. DEFONEOS pre-configures all of this in the base image.
4. UK SC Clearance
Security Check (SC) is the minimum for personnel with "long-term, frequent, and uncontrolled" access to TOP SECRET material. The application takes 4-6 weeks.
# Application process:
1. Sponsoring organisation (CSOAI Ltd) registers with UKSV
2. Sponsoring authority (MOD) issues sponsor letter
3. Candidate completes SC1 form (45 pages, online)
4. UKSV runs: criminal records, credit history, 5-year employment, references
5. Decision: SC Cleared, SC with caveats, or Refused
# DEFONEOS team minimum (3 people):
- 1Γ Technical Director (SC cleared)
- 1Γ Engineering Lead (SC cleared, may be in progress)
- 1Γ Operations Manager (SC cleared)
# Cost:
- Application: Β£0 (paid by sponsoring org)
- Time: 6-12 weeks per person
- 3 people Γ 8 weeks = need to start Day 1 of the deployment project
5. UK Cloud Account (5-Region UK Sovereign)
You need a UK-sovereign cloud account BEFORE you can deploy. DEFONEOS supports all 5 major UK sovereign cloud providers. See Regions tab for full comparison.
- UKCloud (Sovereign) β wholly UK-owned, MOD Tier 2 accredited, Crown Commercial Service supplier
- AWS UK Region (London eu-west-2) β US-owned, but UK-region with UK-jurisdiction, G-Cloud approved
- Azure UK (UK South, UK West) β US-owned, but UK-region, G-Cloud approved
- Google Cloud UK (europe-west2 London) β US-owned, but UK-region, G-Cloud approved
- UKFast / M247 β wholly UK-owned, smaller scale, good for STRIX edge compute
5 Mandatory Compliance Gates
You cannot deploy to prod without clearing all 5 gates. The first 3 are legal/entity gates; the last 2 are technical/operational gates.
Gate Pass Conditions
| Gate | Pass Criteria | Evidence | Audit Trail |
|---|---|---|---|
| G1 | Active DSP supplier record, SIC codes match | PDF registration confirmation | Companies House + DSP |
| G2 | CE+ certificate valid, scope covers DEFONEOS services | PDF CE+ certificate | IASME register |
| G3 | 3Γ UK SC cleared staff, security roles assigned | UKSV clearance letters | UKSV register (private) |
| G4 | JSP 936 JHA-A register complete, AI Risk Tier assigned | JSP 936 register, Risk Tier letter | DEFONEOS-JSP936 module |
| G5 | 23/33 BFT agents vote FOR deployment | SIGIL-signed BFT tally | SOV3 SIGIL chain |
Auto-Generation of Compliance Evidence
# G4: Generate JSP 936 JHA-A register from DEFONEOS config
$ defoneos-mcp jsp936 generate \\
--system "DEFONEOS Counter-UAS ISR" \\
--risk-tier HIGH \\
--use-case "Counter-drone detection at RAF Lossiemouth" \\
--output ./compliance/jsp936-jhaa-counter-uas.pdf
# Output: 47-page JHA-A register including:
# - System description
# - AI risk tier justification
# - Data flow analysis (5 DPIA controls)
# - Human oversight measures
# - Bias audit (5 demographic groups, <2% disparate impact)
# - Robustness testing (1000+ adversarial inputs)
# - Red-team assessment
# - Operator training plan
# - Incident response runbook
# - Decommissioning plan
# G5: Submit to 33-agent BFT council
$ defoneos-mcp bft submit \\
--proposal "Deploy DEFONEOS Counter-UAS v1.0 to UK-W2 production" \\
--evidence ./compliance/jsp936-jhaa-counter-uas.pdf \\
--quorum-required 23
# Output: 33-agent BFT vote tallied on SIGIL chain
# Quorum 23/33 reached in 36 hours
# Vote: 28 FOR, 3 AGAINST, 2 ABSTAIN
# Decision: APPROVED
5 UK Sovereign Cloud Regions
DEFONEOS deploys to UK-sovereign clouds only. The 5 regions are NOT interchangeable: each has different accreditation, different pricing, and different fit-for-purpose. Choose based on your deployment's data sensitivity and budget.
Region 1: UKCloud (Sovereign) β Slough + Corsham
Best for: MOD TOP SECRET, OFFICIAL-SENSITIVE, full data sovereignty required
Region 2: AWS London (eu-west-2) β UK Sovereign
Best for: Production workloads, OFFICIAL, scale-out, GPU-heavy
Region 3: Azure UK (UK South + UK West) β UK Sovereign
Best for: Microsoft shops, OFFICIAL, AAD-integrated, hybrid
Region 4: Google Cloud UK (europe-west2 London) β UK Sovereign
Best for: AI/ML workloads, BigQuery, OFFICIAL
Region 5: UKFast / M247 β Manchester + London
Best for: STRIX edge compute, small footprint, GOV.UK PaaS
Recommended Configuration by Use Case
| Use Case | Primary | Backup | Edge |
|---|---|---|---|
| MOD defence AI (TOP SECRET) | UKCloud Sovereign | UKCloud Corsham | UKFast STRIX |
| MOD defence AI (OFFICIAL-SENSITIVE) | AWS London | Azure UK South | UKFast STRIX |
| Emergency services | AWS London | Google UK | UKFast STRIX |
| NHS / health | Azure UK | AWS London | UKFast STRIX |
| Local government | UKFast | Google UK | UKFast STRIX |
| Commercial UK | AWS London | Google UK | UKFast STRIX |
Reference Architecture β DEFONEOS UK Sovereign
The standard DEFONEOS UK deployment. All components are UK-hosted, UK-operated, and SIGIL-audited. Zero foreign data egress.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β UK SOVEREIGN BOUNDARY β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β STRIX Edge β β STRIX Edge β β STRIX Edge β (UKFast) β
β β (Counter-UAS)β β (Convoy) β β (SAR) β β
β β Jetson Orin β β Jetson Orin β β Jetson Orin β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β
β ββββββββββββββββββββΌβββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β FreeTAKServer β (UKCloud Corsham) β
β β C2 + CoT emit β β
β ββββββββββ¬ββββββββββ β
β β mTLS β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββ β
β β DEFONEOS MCP Federation β (AWS London) β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β β β ISR β β Swarmβ β C2 β β Auditβ β β
β β β MCP β β MCP β β MCP β β MCP β β β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β β β YOLO β β Mava β β TAK β β Map β β β
β β β MCP β β MCP β β MCP β β MCP β β β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β β β 30 MCPs in total ... β β β
β β ββββββββ ββββββββ ββββββββ ββββββββ β β
β ββββββββββββ¬ββββββββββββββββββββββββββββ β
β β β
β ββββββββββββ΄βββββββββββ β
β βΌ βΌ β
β ββββββββββββββββ ββββββββββββββββ β
β β PostgreSQL β β SIGIL Chain β (UKCloud Slough) β
β β (audit data)β β (immutable) β β
β ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β Cesium Globe (3D COP) β (Azure UK South) β
β β https://cop.defoneos.uk/ β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β BFT Council (33 agents) β (Google UK) β
β β quorum 23/33 β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Component Hosting Map
| Component | Region | Accreditation | Replicas |
|---|---|---|---|
| STRIX Edge (field) | UKFast Manchester | Cyber Essentials+ | 3-N (operational) |
| FreeTAKServer | UKCloud Corsham | MOD Tier 2 | 2 (HA) |
| DEFONEOS MCP Fleet | AWS London | ISO 27001, G-Cloud 13 | 3-AZ |
| PostgreSQL (audit) | UKCloud Slough | MOD Tier 2 | 2 (sync) |
| SIGIL Chain | UKCloud Slough | MOD Tier 2 | 3 (consortium) |
| Cesium 3D COP | Azure UK South | ISO 27001, G-Cloud 13 | 2 |
| BFT Council | Google UK | ISO 27001, G-Cloud 13 | 5-node |
Day-2 Operations β UK Sovereign Runbook
Once deployed, the runbook covers incident response, security patching, audit, and decommissioning.
3.1 On-Call Rotation (24/7)
- Primary: Ops Engineer (SC cleared, 7am-7pm Mon-Fri)
- Secondary: Ops Engineer (SC cleared, 7pm-7am + weekends)
- Escalation: CISO (any severity, 24/7)
- Major Incident: CTO + Director of Defence (sev-1 / sev-2)
3.2 Severity Tiers (UK Gov Standard)
| Sev | Definition | Response Time | Resolution Target | Comms |
|---|---|---|---|---|
| 1 | Total service outage / data breach / red-line violation | β€15 min | β€4 hours | MOD + ICO + NCSC within 72h |
| 2 | Major degradation (>50% capability lost) | β€30 min | β€8 hours | Customer SLA breach report |
| 3 | Minor degradation (β€50% capability lost) | β€2 hours | β€24 hours | Standard ticket |
| 4 | Cosmetic / documentation / RFE | β€1 business day | β€2 weeks | Standard ticket |
3.3 Security Patching SLA
| Severity | Patch within | Verification |
|---|---|---|
| Critical CVE (CVSS β₯9.0) | 24 hours | Re-run E2E test suite + SIGIL audit |
| High CVE (CVSS 7.0-8.9) | 7 days | Re-run E2E test suite |
| Medium CVE (CVSS 4.0-6.9) | 30 days | Regression test |
| Low CVE (CVSS <4.0) | 90 days | Standard regression |
3.4 Audit Cycle
- Daily: Automated SIGIL chain verification, anomaly detection
- Weekly: Operator review of BFT council log + red-line triggers
- Monthly: Security posture report to MOD authority
- Quarterly: External penetration test (CREST-accredited)
- Annually: ISO 42001 / SOC 2 surveillance audit, Cyber Essentials Plus re-cert
3.5 Red Lines (Never Crossed)
RED LINE 1: NO data egress outside UK sovereign boundary
- SIGIL chain alerts within 60 seconds of any attempt
- Automatic kill switch on egress attempt
- Page CISO + CTO
RED LINE 2: NO kinetic-targeting decisions without human-in-loop
- Counter-UAS intercept requires operator approval
- SIGIL chain records every approval
- BFT council can override in <50ms
RED LINE 3: NO model deployment without BFT 23/33 vote
- Every model version SIGIL-emitted
- Quorum gate enforced at MCP layer
- Rollback available within 60s
RED LINE 4: NO SIGIL chain mutation
- Hash chain immutability verified daily
- Any tampering triggers sev-1
- NCSC notified within 1 hour
RED LINE 5: NO personal surveillance
- Defoneos detects threats, not people
- Person-detection is operator-approval only
- ICAO / DPIA controls applied
3.6 Decommissioning
When the deployment is retired (end of contract, technology refresh, etc.), the following must happen within 30 days:
- All customer data exported (encrypted, signed, 7-year retention as per UK law)
- All SIGIL chain events retained (immutable, 7-year retention)
- All storage volumes crypto-erased (NIST 800-88)
- All compute instances terminated
- DNS records removed
- Final BFT council "end-of-life" vote (23/33)
- Customer sign-off certificate
90-Day Deployment Timeline
From a fresh UK Ltd to a fully sovereign production deployment. The first 30 days are entity + compliance; days 31-60 are technical build; days 61-90 are pilot + scale.
Critical Path
Three parallel workstreams must all complete:
- Workstream A (Compliance): DSP β CE+ β SC. Critical: SC starts Day 1, takes 6 weeks.
- Workstream B (Technical): 30 MCPs β 50 pages β digital twin. Critical: All in UK-sovereign cloud from Day 1.
- Workstream C (Customer): UKDI Regional Engagement β first MOD contact β pilot. Critical: DASA application Day 30.
Resource Requirements
| Role | FTE | SC Required | Cost (annual) |
|---|---|---|---|
| CTO / Technical Director | 1.0 | Yes | Β£180,000 |
| Senior Engineer (MCP / Cloud) | 1.0 | Yes | Β£110,000 |
| Senior Engineer (ML / ISR) | 1.0 | Yes | Β£110,000 |
| Operations / On-Call | 1.0 | Yes | Β£75,000 |
| Compliance Officer (DPA, JSP 936) | 0.5 | No (BPSS minimum) | Β£55,000 |
| Commercial / Bid Manager | 0.5 | No | Β£55,000 |
| Total | 5.0 FTE | 4Γ SC | Β£585,000/yr |