A UK GDPR-compliant, ISO 27001-certified AI deployment for 8,000 staff and up to 46,000 students
.png){kind=small}
A UK GDPR-compliant, ISO 27001-certified AI deployment for 8,000 staff and up to 46,000 students
A leading UK research university needed independently certified, auditable assurance across UK GDPR, KCSIE 2025 safeguarding, UK public sector accessibility regulations, and information security standards simultaneously - before its DPO, IT Security function, and senior leadership would approve an institution-wide AI rollout. As a public sector body processing personal data for up to 54,000 users including under-18 students, compliance was not a post-launch consideration - it was the deployment prerequisite.
The university required assurance that all institutional data - student interactions, uploaded documents, usage records - would be processed exclusively within the UK, would not train AI models, and would be isolated from other platform tenants at both data and network layer. Consumer AI services could not provide these guarantees.
Processing personal data through a generative AI platform required a Data Protection Impact Assessment under UK GDPR Article 35, a formally executed Article 28 DPA, and automated data subject rights workflows. The DPO required all of this before any student personal data was processed.
The student population includes under-18 learners and individuals in vulnerable circumstances. KCSIE 2025-aligned controls - content filtering, deepfake detection, and age-appropriate access restrictions - were required operational from the first day of student access, not as a subsequent configuration task.
UK public sector accessibility regulations updated to reference WCAG 2.2 in October 2024, introducing new Level AA success criteria. The university required compliance with these updated requirements at launch - including Focus Not Obscured (2.4.11), Target Size Minimum (2.5.8), and Accessible Authentication (3.3.8).
With over half of UK universities experiencing data breaches in the past year and HE facing the highest average ransomware costs of any UK sector (£2.73 million), the IT Security team required third-party certified evidence - not vendor self-attestation. Recognised certifications, independent penetration testing, and a demonstrated operational breach record were all required.
UK GDPR guidance, KCSIE requirements, and AI governance frameworks were all evolving at deployment. A one-off compliance exercise would become stale within months. The university needed a contractual commitment to track and respond to regulatory change throughout the contract term.
PromptX holds ISO 27001:2022 with UKAS-accredited annual surveillance audits. Cyber Essentials Plus was renewed January 2026, covering all five technical controls. Annual CREST-certified penetration testing - most recently December 2025 - covers OWASP Top 10, API security, and authentication bypass attempts, with all findings remediated within SLA (critical: 24 hours; high: 7 days). Zero reportable security breaches in two years of operational history.
VE3 acts as Data Processor; the university retains full Data Controller status. The DPA covers processing on documented instructions only, confidentiality obligations, sub-processor controls, data subject rights assistance, DPIA support, and data deletion at contract end. Automated workflows fulfill access requests within 2 hours, with erasure audit trail and portability via JSON and CSV export.
All university data processes exclusively within UK availability zones - London Primary, Manchester Secondary - with no international transfer. Dedicated tenancy implements PostgreSQL schema separation, tenant-specific AES-256-GCM encryption with 90-day key rotation, Kubernetes namespace isolation, and tenant-scoped IAM. Independent backups are retained for 7 years in geographically separate UK locations.
VE3 provides comprehensive DPIA support - data flow diagrams, Article 30 processing records, security control specifications, and risk assessment methodology - maintained by a qualified DPO and updated quarterly. This gave the university's DPO the evidence base to determine a lawful basis under Article 6(1)(e) public task and complete the required impact assessment.
Content filtering, deepfake detection, and under-18 protections are implemented below the user interface - not circumventable by user behaviour. Tamper-evident WORM audit logs of all interactions are retained for 7 years, providing the forensic record required for any safeguarding or misconduct investigation
The platform is designed to support WCAG 2.2 Level AA including all new 2024 criteria. Screen reader compatibility was tested with JAWS 2024, NVDA 2024, and VoiceOver. Voice interaction supports users with dyslexia, visual impairments, or motor impairments. VPAT 2.5 Rev documentation is available on request.
.png)
By treating security certification, data protection, safeguarding, and accessibility as architecture rather than a post-launch checklist, VE3 gave every institutional stakeholder the assurance they needed to approve a novel technology category at scale. The DPO had the documentation to proceed. IT Security had the independent validation. Students were protected from day one.
.png)
