Data Protection and Governance Statement

Our Commitment

At scotsphere AI, we believe that strong data governance is fundamental to building trust with our clients and users. As an AI company that handles information on behalf of small businesses, we are committed to maintaining the highest standards of confidentiality, integrity, and accountability in how we process and protect personal data.

This statement explains how we manage data protection and information security in practice. For details on what data we collect, how we use it, and your rights as an individual, please refer to our Privacy Policy.

Our Role Under GDPR

Depending on the nature of the service we provide, scotsphere AI may act as:

A Data Controller, when managing our own business operations (for example, our website and CRM systems).
A Data Processor, when handling personal data on behalf of our clients within AI agent interactions, integrations, or hosted services.

In all cases, data is processed lawfully, fairly, and transparently, and only under documented instruction or lawful basis as required by the UK GDPR and Data Protection Act 2018.

Accountability and Oversight

Data protection and security responsibilities are held by the Managing Director, who also acts as the Data Protection Lead.

This single point of accountability ensures direct oversight and rapid decision-making for compliance, incident response, and client communication.

Our governance approach is designed for clarity and proportionality: policies and procedures are maintained internally and reviewed annually or following any material change in legislation or operations.

Security and Technical Measures

We take a “cloud-first” and “security-by-design” approach to all systems and processes.

Key controls include:

Encryption of data at rest and in transit
Multi-factor authentication and role-based access
Continuous monitoring and anomaly detection through our cloud providers
Disaster recovery and resilience using multi-region hosting and automated backups

We also maintain an incident response procedure, ensuring that any data breach or security event is identified, contained, and reported within 24 hours to affected partners or authorities where required.

Our Partners and Sub-Processors

To deliver reliable, secure, and scalable services, we work with a small number of enterprise-grade cloud providers that meet international compliance standards such as ISO 27001, SOC 2, and GDPR.

These include:

Microsoft Azure / Render – application and database hosting (UK/EU regions)
Twilio – telephony infrastructure
Synthflow – conversational AI and voice services (EU/UK hosting)
Mailgun – transactional email delivery (EU regions)

Each provider is bound by a Data Processing Agreement (DPA) incorporating Article 28 UK GDPR clauses, and is regularly reviewed for compliance and data location assurance.

Data Lifecycle Management

Personal data is retained only for as long as necessary to deliver our services or meet legal and contractual obligations.

At the end of a client relationship or project, data is securely returned or deleted within one month, and written confirmation can be provided on request.

All data is stored within the UK or EEA by default. Any transfer outside these regions (for example, through Twilio’s global routing) is governed by Standard Contractual Clauses or an adequacy decision.

Training and Awareness

As a small, specialist company, all GDPR, cybersecurity, and data handling training is completed annually by the Managing Director. Ongoing awareness is maintained through ICO guidance and regular policy reviews.

Contact for Data Protection Matters

If you have questions about how we handle personal data, compliance, or information governance, please contact:

Data Protection Lead

Antony Slack, Managing Director
📧 [email protected]

Alignment with Our Privacy Policy

Ihis statement complements our Privacy Policy by focusing on governance and accountability, rather than data categories or user rights. Together, they form the foundation of scotsphere AI’s commitment to responsible and transparent data management.