UK GDPR AI development for British organisations that ship.

UK GDPR does not have a vendor certification scheme that most AI vendors hold — what UK GDPR requires is documented evidence that the controller and processor have implemented appropriate technical and organisational measures. Aiinfox provides that evidence: a UK GDPR-aligned Data Processing Agreement (Article 28) signed before any personal data is processed, a lawful basis identified per processing purpose, a DPIA where Article 35 triggers, audit logs on every model and tool call, inference pinned to a UK or EU region or self-hosted inside your VPC, and a documented breach-notification playbook. We will not market a UK GDPR certification we cannot hold. We will sign the DPA, document the controls, and stand behind them in writing.

The DPA covers the Article 28 obligations: processing only on documented instructions from the controller, confidentiality of personnel, security of processing, sub-processor management with controller approval, assistance with data subject rights requests (SARs, erasure, portability, objection), breach notification timing, deletion or return of personal data at the end of the engagement, and audit rights. International transfer is covered by the UK International Data Transfer Addendum or the EU Standard Contractual Clauses with the UK addendum, depending on the data flow. The DPA is signed before kickoff. We work from your template or provide ours. NHS data engagements layer the Data Security and Protection Toolkit principles on top.

Inside your AWS, Azure, or GCP account by default, in a UK or EU region you specify — AWS London (eu-west-2), Azure UK South, Azure UK West, GCP europe-west2 (London), or europe-west1 / europe-west3 (EU) when EU residency is acceptable. For inference, you have three options. One: managed LLMs pinned to UK or EU — Anthropic Claude via AWS Bedrock with EU-region availability, OpenAI via Azure OpenAI Service with UK South availability. Two: self-hosted Llama 3 / 3.1 on vLLM inside your VPC — zero third-party LLM processing, full control of logging and retention. Three: hybrid — non-personal-data prompts route to managed LLMs, personal-data-bearing prompts route to self-hosted Llama. We do not silently route UK personal data through US endpoints whilst the SCC is undocumented.

We run a Data Protection Impact Assessment whenever the Article 35 trigger applies — high-risk processing, systematic monitoring, large-scale special category data, automated decision-making with legal or similarly significant effect on individuals, or any processing on the ICO's published high-risk list. The DPIA covers the nature, scope, context and purposes of the processing, a necessity and proportionality assessment, the risks to data subjects, and the technical and organisational measures we have implemented to mitigate them. We document the DPIA before the build starts, update it when the architecture materially changes, and provide it as a deliverable to your DPO. Where the residual risk is high, we consult your DPO on whether prior consultation with the ICO is required.

For any deployment where the AI output materially affects an individual — credit, hiring, healthcare triage, benefit eligibility, fraud disposition — we design human-in-the-loop patterns into the system from week one. The model produces a recommendation, the human approves, the audit log records both. We provide 'meaningful information about the logic' as required under Article 22 by recording the prompt version, the retrieval sources, the model output, and the human decision — so when a data subject exercises their right to an explanation, you have one to give. For deployments that genuinely require solely automated decisions, we run the explicit DPIA, document the lawful basis under Article 22(2), and design the right-to-contest workflow before launch.

Strong. India Standard Time is GMT+5:30, which gives roughly four to five hours of native daily overlap with UK business hours — our 1:30pm IST is your 8am GMT, our 6:30pm IST is your 1pm GMT. Daily standups, twice-weekly demos, and ad-hoc problem-solving land inside that window without late-night calls on either side. For UK clients who prefer afternoon-onwards working, we can extend coverage to 8pm IST (2:30pm GMT) on a planned cadence. Written async updates land before your standup. The overlap is one of the reasons we work well with UK organisations — synchronous time genuinely exists every weekday.

Senior engineering rates at Aiinfox land roughly 30 to 50 percent below equivalent London AI consultancies — useful, but it is not the headline. The headline is the delivery model: senior engineers only, fixed-price six-week scope, overrun cost on us if we miss for reasons on our side, DPA in hand before kickoff. Most London AI consultancies bill timesheets, run multi-month discovery whilst onsite-rate cards eat the budget, and either churn senior staff onto bigger accounts mid-engagement or staff a junior pool behind a senior partner. We bill shipped systems; the engineer on your kickoff call writes your code through launch.

Yes — UK GDPR takeover audits are routine. Step one is a data-flow audit: where does personal data actually touch storage, inference, and logging, and which of those endpoints has a documented lawful basis and transfer mechanism? Step two is reading the code, evals, refusal layer, and audit-log schema, then shipping the smallest valuable change to prove the system is operable. Step three is the longer-term remediation plan — incremental fixes, a parallel rebuild, or shutting it down. Most takeovers we see did not need a full rewrite; they needed a documented lawful basis, a missing DPIA, inference pinned to a UK or EU region, and audit logs that could survive an ICO question.