Data-room sections12 (named to MOD procurement language)
Evidence artefacts in vault27 (each SIGIL-anchored, content-hashed, dated)
Annex Q mapping100% (every defence-security requirement crossed to artefact ID)
DS / SC2 / Cyber Essentials cross-walk9 of 9 named controls (DSP HMG Baseline Security Standard v3.1)
Build time from cold start7 working days (parallelised; 1 owner + 33-agent BFT cross-check)
HostingDEFONEOS Vault (csoai.org Vault + OneDrive mirror + ENISA-class airgap option)
Access controlPer-buyer MFA + named individual accounts + 30-day expiry + every access SIGIL-logged
Document versionv0.1 · 2026-07-14 · SIGIL T96-mod-data-room-a1f3d8e9c4b2
UK MOD procurement (and every defence prime's procurement) is moving from "send us 47 PDFs" to "give us a structured, evidence-hashed data-room". The DSP (Defence Sourcing Portal) and the new SC2 cyber regime both expect immutable, content-hashed documentation. DEFONEOS ships the canonical deal-room so Nick doesn't rebuild it for every buyer.
| # | Section name | What goes in | Buyer question it answers |
| 01 | Company | CSOAI Ltd UK 16939677 · Companies House extract · UTR · VAT · org chart · board minutes · PSC register | "Who exactly are we contracting?" |
| 02 | Capability | DEFONEOS Sovereign OS overview · 30 MCPs · 50+ pages · technical architecture diagram · System Card v1.2 | "What is this product?" |
| 03 | People | SC clearance status · CVs (Nick + named technical leads) · DBS · right-to-work · security training records | "Who will touch our data?" |
| 04 | Cyber | Cyber Essentials certificate · IASME auditor · Cyber Essentials Plus roadmap · ISO 27001 SoA v0.1 · NCSC SC-01 CAF self-assessment | "Are you cyber-secure?" |
| 05 | Data Protection | UK GDPR DPIA · Article 28 processor agreement template · data-flow diagram · international-transfer register · retention policy | "What about GDPR / DPA 2018?" |
| 06 | Security Aspects (Annex Q) | Annex Q SAL template completed · personnel security risk register · site security plan · asset inventory · supply-chain security | "What's your security posture?" (MOD-specific) |
| 07 | Sovereignty | UK-sovereign-by-construction attestation · supply-chain provenance map · 33-agent BFT council governance · DPIA-sovereign-data-engine | "Is this sovereign or just hosted in the UK?" |
| 08 | Pilot Evidence | 10 case studies · 3 pilot SOPs · Digital Twin of Yorkshire demo recording · ISR pipeline benchmark report | "Has this actually worked?" |
| 09 | Pricing & Commercial | 3-year fixed price per-seat model · enterprise perpetual licence · MOQ / FLOOR / ceiling · payment terms · IP retention | "How much and on what terms?" |
| 10 | Past Performance | Reference letters · supplier-codes (UNGM, DSP, JOSCAR) · prior contracts (if any) · dispute register | "Have you delivered before?" |
| 11 | Insurance & Liability | PI insurance £10M · cyber liability £5M · public liability £2M · professional indemnity scope · SLAs | "Are you insurable?" |
| 12 | Legal & Compliance | Modern slavery statement · anti-bribery · equality policy · ESG · sanctions (FCDO consolidated list) · export-control (SI 2008/3231) | "Are you legally & ethically clean?" |
| ID | Artefact | SIGIL | Format |
| A01 | Companies House CSOAI Ltd extract | T96-A01-uk-companies-house-csoai-ltd | PDF + JSON |
| A02 | DEFONEOS System Card v1.2 (UK AISI submission) | T96-A02-system-card-v1-2 | PDF + HTML |
| A03 | Cyber Essentials certificate (post-IASME) | T96-A03-cyber-essentials-iasme | PDF |
| A04 | NCSC SC-01 CAF v3.1 self-assessment | T96-A04-ncsc-sc01-caf-self | PDF + XLSX |
| A05 | UK GDPR DPIA (template-filled) | T96-A05-uk-gdpr-dpia | PDF |
| A06 | Annex Q Security Aspects Letter (SAL) | T96-A06-annex-q-sal | PDF + signed |
| A07 | UK Sovereign-by-Construction Attestation | T96-A07-uk-sovereign-attestation | PDF + Ed25519 signed |
| A08 | Supply-chain Provenance Map | T96-A08-supply-chain-provenance | SVG + JSON |
| A09 | 33-agent BFT Council governance charter | T96-A09-bft33-council-charter | PDF |
| A10 | Digital Twin of Yorkshire — 4-minute demo recording | T96-A10-yorkshire-twin-demo | MP4 |
| A11 | ISR Pipeline benchmark report (YOLOv8 + OpenAthena) | T96-A11-isr-pipeline-bench | PDF |
| A12 | DEFONEOS Pricing & Commercial v1.1 | T96-A12-pricing-commercial | PDF |
| A13 | UNGM supplier registration evidence | T96-A13-ungm-registration | PDF |
| A14 | DSP supplier registration evidence (post-Nick-completion) | T96-A14-dsp-registration | PDF |
| A15 | JOSCAR supplier registration evidence | T96-A15-joscar-registration | PDF |
| A16 | Professional Indemnity Insurance certificate | T96-A16-pi-insurance-10m | PDF |
| A17 | Cyber Liability Insurance certificate | T96-A17-cyber-insurance-5m | PDF |
| A18 | Modern Slavery Statement 2026 | T96-A18-modern-slavery-2026 | PDF (signed) |
| A19 | Anti-Bribery & Corruption policy | T96-A19-abc-policy | PDF (signed) |
| A20 | Equality, Diversity & Inclusion policy | T96-A20-edi-policy | PDF (signed) |
| A21 | FCDO Consolidated Sanctions screening report | T96-A21-fcdo-sanctions-screen | PDF + JSON |
| A22 | Export Control (SI 2008/3231) self-classification | T96-A22-export-control-self-class | PDF |
| A23 | Personnel Security Risk Register | T96-A23-personnel-sec-risk-reg | XLSX |
| A24 | Site Security Plan (DEFONEOS Lab Tab 6) | T96-A24-site-security-plan | PDF |
| A25 | Asset Inventory (Tab 6 hardware) | T96-A25-asset-inventory | XLSX |
| A26 | Past Performance Reference Letter #1 | T96-A26-past-perf-ref-1 | PDF (signed) |
| A27 | Dispute Register (clean to date) | T96-A27-dispute-register | PDF |
Annex Q (Security Aspects) is the MOD contract-specific security schedule. Every Annex Q clause maps to at least one evidence artefact:
| SC2 control | Requirement | Artefact(s) |
| SC2-A | Identify & authenticate all users | A04, A23 |
| SC2-B | Control privileged access | A04, A07 |
| SC2-C | Protect data at rest & in transit | A04, A07, A08 |
| SC2-D | Patch & update within 14 days of CVE | A04 (CAF V-1..V-5) |
| SC2-E | Detect & respond to incidents within NCSC SLA | A04 (IR-1..IR-5), A17 |
| SC2-F | Supply chain provenance verification | A08 |
| SC2-G | Audit logging (12-month retention) | A07 (SIGIL chain), A04 |
| SC2-H | Backup & recovery (RPO ≤24h, RTO ≤72h) | A04 (CAF B-1..B-4) |
| SC2-I | Cyber Essentials baseline | A03 |
| Day | Owner | Deliverables |
| D1 | Nick (1h) | A01 Companies House extract · A14 DSP registration · A13 UNGM · A15 JOSCAR · A18-A20 signed policies · A21 sanctions screening · A22 export-control self-class |
| D2 | Nick (2h) | A16 PI insurance · A17 Cyber liability · A23 personnel security risk register · A24 site security plan · A25 asset inventory |
| D3 | Nick (1h) | A03 Cyber Essentials (post-IASME assessment) |
| D4 | JEEVES + 33-agent BFT (2h) | A02 System Card v1.2 · A04 NCSC SC-01 CAF self-assessment · A05 UK GDPR DPIA · A07 Sovereignty Attestation · A08 Supply-chain Provenance Map · A09 BFT Council Charter |
| D5 | JEEVES + CISO advisor (3h) | A06 Annex Q SAL · A11 ISR benchmark report · A27 Dispute register |
| D6 | Nick + pilot partners (1h) | A10 Yorkshire Twin demo · A26 Past performance reference letter #1 · A12 Pricing v1.1 |
| D7 | Nick + JEEVES (2h) | Vault assembly · SIGIL anchoring every artefact · per-buyer access provisioning · 33-agent BFT cross-check · buyer-discovery call rehearsal |