Security and data handling.
How Decrey approaches data security and regulatory posture. Written for compliance partners and operations leads who need to understand what they'd be signing up for before a pilot conversation.
The product is in active build. Where decisions are committed, this page says so. Where reviews are still open, this page says so. Nothing here over-claims.
Regulatory posture
UK GDPR. Decrey operates as a data processor on behalf of customer firms (the data controller). The customer DPA is a separately drafted document covering the standard processor obligations: lawful basis, sub-processor approval, data subject rights, breach notification, audit rights, and end-of-contract data handling. Special category data (Article 9), which includes health data routinely present in insurance litigation case files, is addressed explicitly in the DPA rather than as a default add-on.
SRA Accounts Rules awareness. Decrey doesn't hold client money and isn't an SRA-authorised entity. The product is built with awareness of where SRA Rules 8 and 12 (client money) apply to the firm's workflows — particularly around disbursement handling, settlement processing, and the proposed 12-week return-of-funds rule currently under SRA consultation. The product is designed to support firm compliance rather than create new compliance risk.
Article 22 UK GDPR. Decrey does not make solely automated decisions about data subjects. Every output the product produces is reviewed by a fee earner before any external communication, filing, or action is taken. Fee earner review is a structural part of the product, not an optional setting.
Infrastructure
Encryption at rest. All customer data is encrypted at rest using AES-256 via the cloud provider's managed encryption keys. Encryption in transit is TLS 1.2+ on all connections.
UK or EU data residency. The production architecture targets UK or EU data residency for customer data. Final cloud provider selection (AWS Bedrock Frankfurt or Google Vertex AI Frankfurt) is the subject of an ongoing sub-processor review and will be committed before any customer data flows.
Audit logging. Every action taken by the product — agent runs, model calls, fee earner approvals, sub-processor calls — writes an immutable, append-only audit log entry. The log captures actor identity, action, timestamp, and a structured record of inputs and outputs sufficient to reconstruct what happened and why. This is built into the product architecture, not bolted on.
Sub-processors
The current candidate sub-processors are listed below. A complete sub-processor list will be published at decrey.com/subprocessors before the first pilot, with material additions notified to active customers under the DPA.
| Sub-processor | Purpose | Certifications |
|---|---|---|
| Anthropic | LLM inference via api.eu.anthropic.com or AWS Bedrock Frankfurt | SOC 2 Type II ISO 27001 · ISO 42001 |
| AWS / Google Cloudselection pending review | Application hosting, UK/EU regions only | SOC 2 Type II ISO 27001 · 27017 · 27018 |
| Zoho Corporation | Decrey's operational email — no customer data | SOC 2 Type II ISO 27001 |
For procurement and compliance partners doing deeper diligence, Decrey has prepared a Security & Compliance Pack covering CAIQ-Lite (73 questions), a UK supplement (NCSC supply chain alignment, ICO AI guidance, Cyber Essentials roadmap, ISO 27001 readiness), and a legal / SRA supplement.
Pre-pilot posture
The product has not yet processed any real firm data. All current development and demonstration uses synthetic data. The synthetic-data-only discipline is being maintained until the customer DPA, sub-processor reviews, and pilot data scope are all in place — at which point pilot customers will be onboarded under a sanitised-data-first protocol before any production data flows.
If you're a compliance partner reading this ahead of a pilot conversation and want to discuss any of the above in more depth, please reach out.