EU AI Act Article 50 — 20 days to seal | Get passport

Privacy Policy

Last updated: 5 July 2026 · CSOAI Ltd (Companies House 16939677) · GDPR COMPLIANT UK GDPR COMPLIANT DEFENCE-GRADE

DEFONEOS is a sovereign-first platform. All data processing occurs on infrastructure you control. DEFONEOS can operate fully air-gapped with zero external data transmission. This policy covers the open-source software, the hosted enterprise tier, and government deployments.

📋 Contents

  1. Data Controller
  2. Data We Process
  3. Lawful Basis
  4. Data Sovereignty Guarantees
  5. Retention & Deletion
  6. Data Sharing & Third Parties
  7. Your Rights (GDPR)
  8. SIGIL Audit Chain
  9. AI Processing & Article 22
  10. Security Measures
  11. International Transfers
  12. Children's Data
  13. Changes to This Policy
  14. Contact & Complaints

1. Data Controller

CSOAI Ltd is the data controller for the DEFONEOS platform (open source, hosted enterprise, and government tiers).

2. Data We Process

2.1 Open Source Tier (Free)

The open-source DEFONEOS software processes data entirely on your infrastructure. CSOAI Ltd does not receive any data from open-source deployments. The software itself may process:

2.2 Enterprise/Hosted Tier

For customers using CSOAI-hosted DEFONEOS infrastructure, we process:

Data CategoryPurposeExamples
Account dataProvisioning & billingName, email, role, org
AuthenticationAccess controlUsername, hashed password, MFA token
Usage telemetryService improvementMCP call counts, latency metrics, error rates
SIGIL audit logsCompliance proofEd25519-signed action records
Deployment configService operationMCP server configs, BFT council settings

2.3 Government/MOD Tier

Government deployments are sovereign and air-gapped. No data leaves the government network. CSOAI Ltd provides software and support but does not process government data. All processing occurs on Crown infrastructure.

GDPR BasisWhen Applied
Contract (Art 6(1)(b))Enterprise/hosted tier account provisioning and service delivery
Legal obligation (Art 6(1)(c))SIGIL audit retention, JSP 440/936 compliance records
Legitimate interests (Art 6(1)(f))Service telemetry, security monitoring, fraud prevention
Vital interests (Art 6(1)(d))Emergency response integrations (medevac, disaster response)
Public task (Art 6(1)(e))Government deployments under Crown authority

4. Data Sovereignty Guarantees

DEFONEOS is architected for absolute data sovereignty:

5. Retention & Deletion

Data TypeRetention PeriodBasis
Account dataDuration of contract + 30 daysContract
SIGIL audit logs7 years minimumJSP 440 / legal obligation
Billing records7 yearsHMRC / Companies Act
Usage telemetry90 daysLegitimate interest
Authentication tokensSession durationSecurity
Open source dataUser-controlledN/A (your infrastructure)

6. Data Sharing & Third Parties

DEFONEOS does not sell data. We do not share data with advertisers, data brokers, or third parties for commercial gain.

Data may be shared with:

7. Your Rights Under GDPR

To exercise any right, contact the Data Protection Officer. Response within 30 days (GDPR requirement).

8. SIGIL Audit Chain

DEFONEOS uses an Ed25519-signed hash chain for all data access events. This provides cryptographic proof of every data interaction — who accessed what, when, and what they did with it. The chain is:

9. AI Processing & Article 22 (Automated Decisions)

DEFONEOS includes AI capabilities (ISR pipeline, threat detection, ISR correlation, intuition engine). Under GDPR Article 22:

10. Security Measures

See Security Architecture for full details.

11. International Transfers

Default: No international transfers. The open-source tier operates entirely on your infrastructure. The enterprise tier can be configured for UK-only, EU-only, or any sovereign region.

Where international transfers are explicitly configured (e.g., NATO allied deployment), appropriate safeguards are in place: Standard Contractual Clauses (SCCs), adequacy decisions, or sovereign-to-sovereign agreements.

12. Children's Data

DEFONEOS is a defence and public services platform. We do not knowingly process children's data. The platform is not directed at individuals under 18.

13. Changes to This Policy

This policy may be updated as DEFONEOS evolves. Material changes will be announced via the SIGIL chain and this page. The "Last updated" date above reflects the most recent revision.

14. Contact & Complaints

Data Protection Officer: Available via Contact Page
ICO (UK): ico.org.uk — UK supervisory authority
Lead EU Authority: Determined per customer jurisdiction
Complaints: You have the right to lodge a complaint with the ICO or your local data protection authority.

🐉 DEFONEOS — Sovereign Data. British Infrastructure. Forever.

CSOAI Ltd · Companies House 16939677 · GDPR · UK GDPR · JSP 440 · JSP 936