Company & registrations
| Item | Status | Reference |
|---|---|---|
| Companies House | Registered, England & Wales | 16800372 |
| Registered office | Live | 4 Enriqueta Rylands Close, Stretford, Manchester, M32 0NW |
| ICO controller registration | Live | Registered 14 May 2026 (reference ZC147676) — expires 13 May 2027, listed on the ICO public register |
| VAT registration | In progress (HMRC) | Number added on receipt |
| Director ID verification (ECCTA 2023) | In progress | Awaiting Companies House WebFiling auth code |
ICO registration number: ZC147676— registered 14 May 2026, expires 13 May 2027. Data Protection Officer: dpo@lawfuze.com.
Data residency & hosting
- Primary cloud: Microsoft Azure UK South (London). AWS is not used.
- Secrets management: Azure Key Vault, environment-scoped service principals.
- Backups: daily encrypted Postgres backups to Azure Blob with 30-day retention; quarterly restore tests.
- AI inference: Anthropic EU (Frankfurt) endpoint requested; Azure OpenAI UK South. No US sub-processors for judgment content or personal data once both endpoints are confirmed.
Certifications & controls
| Control | Status | Evidence |
|---|---|---|
| UK GDPR alignment | Live | Published Privacy Policy, ROPA, LIAs |
| DPIA (Art 35 UK GDPR) | Live | Risk matrix + mitigations, signed by DPO |
| ROPA (Art 30 UK GDPR) | Live | One row per processing activity, lawful basis recorded |
| Append-only audit log | Live | DB-level triggers block UPDATE/DELETE; 6-year retention |
| Cyber Essentials Plus | In progress | IASME assessor booking by Phase 2 |
| Computational Analysis Licence (case law) | In progress | Submitted to The National Archives; ~2–12 weeks |
| PII / Cyber / D&O insurance | In progress | Broker enquiry with Hiscox / Markel / Beazley |
| CREST pen test | Planned (Phase 2) | Booked for July 2026 |
| WCAG 2.2 AA conformance | Planned (Phase 2) | Audit + remediation before public launch |
| ISO 27001 | On roadmap | Targeted post-launch |
| SOC 2 Type II | On roadmap | Targeted post-launch |
Security contacts
- Data Protection Officer: dpo@lawfuze.com
- Security disclosures: security@lawfuze.com
- UK GDPR data subject requests: legal@lawfuze.com
- Breach reporting (24/7): security@lawfuze.com — we acknowledge within 4 hours, ICO notification within 72 hours where required.
Honest disclaimers
Certifications listed as in progress or on roadmap are not current attestations. We publish certificate references only once an accredited body has issued them. Beta tier customers should treat the platform as an active test environment until 1 September 2026.
UK regulatory and case-law context
LawFuze's posture is shaped by three live UK regulatory signals that every solicitor evaluating an AI tool should be aware of:
- Data (Use and Access) Act 2025, Section 80— replaced the previous UK GDPR Article 22 framework on 1 January 2026, inserting Articles 22A–D. The live statutory phrase is "meaningful human involvement in significant decisions". LawFuze's supervisor-review queue is the implementation pathway for solicitors relying on AI outputs in client work. (legislation.gov.uk)
- Garfield AI — SRA authorisation, May 2025 — the SRA authorised the first wholly-AI legal services firm after an eight-month review focused on hallucination mitigation and human oversight. LawFuze tracks the same standards (refusal-first prompts, audit-logged supervisor sign-off, no unsupervised client communication). (sra.org.uk)
- Ayinde v Haringey London Borough Council [2025] EWHC 1383 (Admin) — the High Court made a wasted-costs order against legal representatives who relied on fabricated AI-generated case citations, with referrals to the SRA and the BSB. Cited here so firms understand the disciplinary reality of unverified AI output. LawFuze's citation-verification + refusal architecture is designed precisely so a supervising solicitor never finds themselves on the wrong side of an Ayinde-style order.
Bar Council guidance on generative AI for the bar was updated in November 2025 and is consistent with the SRA position.