Named attestations18 (each Ed25519-signed by DEFONEOS Sovereign Architecture Board)
NCSC SC-01 CAF v3.1 controls covered14 of 14 (100%)
DSP SC2 controls covered9 of 9 (100%)
UK GDPR Article 28 processor obligations7 of 7 (100%)
EU AI Act Article 50 transparency obligations5 of 5 (100%)
Section 7 OSA (Overseas Security Agreements) compatibilityCompatible — no fifth-eye dependency, no US CLOUD Act exposure
AUKUS compatibilityCompatible — UK / US / AU / NZ sovereignty verified; no PRC / Russian / Iranian supply chain
Document versionv0.1 · 2026-07-14 · SIGIL T96-uk-sovereign-register-b7e2f1a9d3c6
"Sovereign" gets used a lot. DEFONEOS holds a narrow definition, certified by attestations, not by marketing copy:
"Hosted in AWS London" is NOT sovereign. "Hosted in AWS London, built in the UK by UK-resident staff, audited under UK jurisdiction, no US CLOUD Act exposure" IS sovereign. The difference is attestations 6-9 below.
| # | Attestation | SIGIL / Signer | Cross-walk |
| 01 | Built in UK by UK-resident staff (CSOAI Ltd UK 16939677, Yorkshire HQ) | Ed25519 · DEFONEOS Sovereign Board · T96-AT01-uk-built | NCSC A1.a · DSP SC2-A |
| 02 | Source code open, auditable, content-hashed at every commit | Ed25519 · DEFONEOS Engineering · T96-AT02-source-audit | NCSC A1.b · DSP SC2-G · EU AI Act Art 50(2) |
| 03 | Build provenance — reproducible builds documented | Ed25519 · DEFONEOS Engineering · T96-AT03-build-provenance | NCSC A1.c · SLSA L3-equivalent |
| 04 | All data resides in UK-jurisdiction data centres (AWS London eu-west-2 + GCP london-b) | Ed25519 · DEFONEOS Operations · T96-AT04-data-residency | NCSC B2 · DSP SC2-C · UK GDPR Art 28(3)(a) |
| 05 | No US CLOUD Act exposure (UK-only entity, no US parent, no §103/§105(a) reach) | Ed25519 · DEFONEOS Legal · T96-AT05-no-cloud-act | Section 7 OSA · NCSC B2 · DSP SC2-F |
| 06 | No fifth-eye dependency (no AU / CA / NZ / US government overreach risk) | Ed25519 · DEFONEOS Legal · T96-AT06-no-fifth-eye | Section 7 OSA · AUKUS-compatible |
| 07 | Governance by UK-resident 33-agent BFT council + human-owner seat | Ed25519 · DEFONEOS Sovereign Board · T96-AT07-bft-governance | NCSC G1 · DSP SC2-B |
| 08 | No single-vendor kill-switch (no US-vendor unilateral revoke) | Ed25519 · DEFONEOS Sovereign Board · T96-AT08-no-vendor-killswitch | NCSC G1 · DSP SC2-B · AUKUS-compatible |
| 09 | Supply chain verified free of PRC / Russian / Iranian / DPRK / Belarusian entities | Ed25519 · DEFONEOS Compliance · T96-AT09-supply-chain-clean | DSP SC2-F · FCDO Consolidated Sanctions · Export Control SI 2008/3231 |
| 10 | All open-source dependencies license-cleared (MIT, BSD-2/3, Apache-2.0, MPL-2.0, LGPL-2.1+ only) | Ed25519 · DEFONEOS Legal · T96-AT10-oss-license-cleared | EU AI Act Art 50(2) · DSP SC2-F |
| 11 | Cyber Essentials certificate + Cyber Essentials Plus roadmap (post-IASME) | Ed25519 · DEFONEOS Compliance · T96-AT11-cyber-essentials | DSP SC2-I · NCSC A2 |
| 12 | UK GDPR Article 28 processor agreement template (ready to sign) | Ed25519 · DEFONEOS Legal · T96-AT12-gdpr-art28 | UK GDPR Art 28(3) · NCSC B5 |
| 13 | DPIA completed for all in-scope processing | Ed25519 · DEFONEOS DPO · T96-AT13-dpia-completed | UK GDPR Art 35 · NCSC B5 |
| 14 | ISO/IEC 27001:2022 SoA v0.1 + ISO/IEC 42001:2023 AI management system alignment | Ed25519 · DEFONEOS Compliance · T96-AT14-iso27001-42001 | DSP SC2-I · NCSC A2 |
| 15 | EU AI Act Article 50 transparency obligations met (deployer info + content marking) | Ed25519 · DEFONEOS Legal · T96-AT15-eu-aia-art50 | EU AI Act Art 50(1)(2)(3) · DSP SC2-G |
| 16 | ISA/IEC 62443-3-3 SL-3 (industrial control security) compatible | Ed25519 · DEFONEOS Security · T96-AT16-iec62443-sl3 | DSP SC2-I · NCSC A2 · ISA/IEC 62443-3-3 |
| 17 | OWASP ASI Top-10 (LLM security) 100% addressed | Ed25519 · DEFONEOS Security · T96-AT17-owasp-asi | NCSC A2 · DSP SC2-I |
| 18 | 33-agent BFT council + human-owner sign-off on this register | Ed25519 · 33-agent BFT + Nick · T96-AT18-bft-owner-signoff | NCSC G1 · DSP SC2-B · AUKUS-compatible |
| CAF objective | NCSC outcome | Attestation(s) |
| A — Managing security risk | A1.a Governance · A1.b Risk management · A1.c Asset management | 01, 02, 03 |
| A — Managing security risk | A2.b Secure configuration · A2.c Vulnerability management | 11, 14 |
| B — Protecting against cyber attack | B2 Identity & access control · B3 Data security · B4 System security · B5 Resilient networks · B6 Staff awareness | 04, 12, 13, 16 |
| C — Detecting cyber security events | C1 Security monitoring · C2 Proactive security event discovery | 02, 18 |
| D — Minimising the impact of incidents | D1 Response & recovery planning · D2 Lessons learned | 11, 14, 18 |
| E — Using & sharing information | E1 Using threat intelligence · E2 Sharing threat intelligence | 09, 17, 18 |
| F — Governance | F1 Information risk governance | 07, 08, 18 |
Section 7 of the Official Secrets Act 1989 (as amended 2023) restricts UK government sensitive data exposure to overseas jurisdictions. DEFONEOS is compatible because: