Security & compliance
Security is the foundation,
not a feature.
Evidentful is built for UK policing from the infrastructure up: UK-hosted deployment, force-specific access controls, audit logging, encryption, and AI governance designed to support DPO, IT security, and procurement review. We welcome scrutiny.
Data residency
Witness data stored in UK data centres (Azure UK South / UK West).
ISO 27001
Independently audited information security management.
Encryption
All data encrypted in transit and at rest.
No AI training
Witness data is not used to train, fine-tune, or evaluate AI models.
Core security architecture
How witness data is protected end to end.
Every architectural decision assumes witness evidence is sensitive, legally significant, and subject to scrutiny. These are design constraints from day one — not policies bolted on after launch.
UK data residencyUK data residency
Witness data, statements, recordings, and audit logs are stored in UK data centres (Azure UK South / UK West).
View detailHide detail
Witness statements, interview recordings, transcripts, and application records are held exclusively in Azure UK South and UK West. No data is processed or stored outside UK jurisdiction in normal operation.
Per-force isolationTenant isolation
Each police force is a fully isolated tenant. Cross-force access is prevented by design.
View detailHide detail
Every force operates as a separate tenant on the platform. Incidents, witnesses, and statements are scoped to that force only — no officer can access another force’s data. Isolation is enforced at the identity and application layer.
Encrypted end to endEncryption
All data encrypted in transit and at rest. Interview audio accessed via secure, short-lived links. Credentials held server-side only.
View detailHide detail
Witness data is encrypted in transit and at rest across the platform. Interview recordings are accessed through secure, time-limited links generated on the server. Storage credentials and API keys never leave the server — they are not exposed to browsers or client applications.
StatementStreamImmutable audit trail
Every invite, interview, edit, signature, and download is attributed and timestamped via StatementStream.
View detailHide detail
Every action taken on every statement — creation, view, edit, sign, download — is written to StatementStream, a tamper-evident, append-only log. Nothing can be deleted or altered after the fact. The chain of custody is preserved throughout, giving forces and courts a complete, attributable record.
RBAC · 4 rolesRole-based access control
Officer, Supervisor, Administrator, and Witness — each role sees only what it needs. No self-escalation.
View detailHide detail
Access is granted by role across the officer workspace and witness portal. Officers work their own caseload. Supervisors manage incidents and witnesses across the force. Administrators configure offences, templates, and user access. Witnesses see only their own interview session. Sensitive operations require an authenticated session with the appropriate role.
Zero AI trainingZero AI training on witness data
Witness data is not used to train, fine-tune, or evaluate AI models. Enterprise provider agreements prohibit it.
View detailHide detail
Evi conducts voice interviews and generates draft statements using Microsoft Azure AI services under enterprise terms that prohibit training on customer data. Short-lived session tokens are issued server-side for voice interviews — long-lived keys are never distributed to witness browsers. Witness consent is recorded before any interview proceeds.
Technical implementation
The stack, for those who need to know.
For force IT security teams and DPOs who want implementation detail.
Identity & access management
- Authentication — industry-standard authentication and session management.
- Role-based access control — four roles enforced across the officer workspace and witness portal.
- Session inactivity controls — officer and administrator accounts prompt re-authentication after inactivity.
- Per-force organisation scoping — each force’s data is isolated at the identity layer.
Infrastructure & deployment
- Microsoft Azure — containerised hosting with development, staging, and production environments separated.
- Managed database and storage — dedicated storage for application data and interview audio.
- Automated CI/CD — controlled releases through automated deployment pipelines.
- Production hardening — non-root production runtime and continuous application monitoring.
AI security & data isolation
- Azure OpenAI — voice interviews and statement generation.
- Azure Speech — server-side transcription after recording commit.
- No training on customer data — Microsoft enterprise service terms.
- Neutrality guardrails — aligned to College of Policing guidance.
- PEACE methodology and MG11 validation — structured interview phases and recognised UK police statement standards.
- NCSP AI/LLM Cyber Standard v1.1 — design alignment.
Role-based access control
Four roles. Scoped visibility. No self-escalation.
Access is granted by role, not by individual permission grants. Each role sees exactly what it needs — and nothing it doesn't.
Own caseload only. Invite witnesses, review statements, and download evidence. Cannot access other officers’ cases.
Organisation-wide incident and witness management across the force.
Force configuration, offence setup, user provisioning, and interview templates.
Self-service portal only. Own session, interview, statement review, consent, and signature. No access to case management or other witnesses’ data.
Alignment with national standards
Built to meet the standards that govern UK policing and AI.
Evidentful is designed with reference to the national frameworks that UK police forces and their procurement teams are required to consider when evaluating AI-enabled tools.
NCSP AI/LLM Cyber Standard v1.1
Evidentful's use of large language models is designed for a narrow policing function: structured witness account capture and draft statement preparation. The system is designed with reference to the Responsible AI Checklist for Policing and the Police Digital Service NCSP Artificial Intelligence Large Language Models Standard, with controls covering information assurance, human review, auditability, data protection, evidential continuity and disclosure readiness.
NCSP alignedNCSP Cyber Security Architectural Principles
Infrastructure design follows the NCSP Cyber Security Architectural Principles, including tenant isolation, role-based access control, and immutable audit logging via StatementStream.
NCSP alignedCollege of Policing — PEACE interview model
Evi's interview structure follows the PEACE framework (Preparation, Engage and explain, Account, Closure, Evaluate) as set out in College of Policing guidance for witness interview practice.
PEACE methodologyMG11 — Witness Statement Form
Evidentful is designed to produce MG11-format witness statements, including the statutory declaration and required fields. Admissibility and evidential use remain subject to case circumstances, force procedure, and legal review.
MG11 compliantUK GDPR & Data Protection Act 2018
All personal data is processed in accordance with UK GDPR and the DPA 2018. Witness data is held exclusively in UK data centres (Azure UK South / UK West) and is not shared with third parties for any purpose other than providing the service.
GDPR / UK DPA 2018PACE 1984 — Police and Criminal Evidence Act
The evidence collection workflow is designed with PACE compliance in mind, including voluntary participation, witness rights, and the integrity of the signed statement as a legal document.
PACE compliantISO 27001 & compliance
Independently certified information security.
Evidentful is ISO 27001 certified. Our information security management system is independently audited, with controls monitored on an ongoing basis. Force IT teams, DPOs, and procurement stakeholders can review our compliance posture, policies, and control evidence in our Trust Centre.
Infrastructure security
Encryption, network protection, hosting controls, and key and secrets management.
Organisational security
Asset ownership, access provisioning, user lifecycle, and role management.
Product security
Secure development, environment separation, change management, and monitoring.
Internal security procedures
Backup, change control, audit processes, corrective action, and legislative compliance.
Data and privacy
Data transfer policies, record protection, privacy obligations, and UK GDPR alignment.
We welcome scrutiny.
Book a demo and ask us the hard questions about architecture, data flows, AI governance, and how Evidentful fits within your force’s security framework. Security contact: [email protected]