Amivest Solutions Limited Privacy & Data Protection Notice

Last updated: 9 March 2026

This privacy and data protection notice tells you what to expect us to do with your personal information and outlines our comprehensive approach to data protection compliance.

Contact Details

Post: 54 Brantfell Road, BLACKBURN, BB1 8DL, GB

Email: info@reawoken.co.uk

Data Protection Officer: Mohammed Amir Elahi (info@reawoken.co.uk)

ICO Registration Number: ZB950916

About Amivest Solutions Limited

Amivest Solutions Limited is a UK-based technology company specialising in the development of AI-integrated software solutions for businesses. Our primary focus is creating innovative tools that help organisations process and analyse data more efficiently while maintaining the highest standards of data protection and security.

Our Role Under Data Protection Law

Our primary role is that of a Data Processor. When providing our Reawoken medical record analysis platform to law firms, Amivest Solutions Limited processes personal data on behalf of the instructing law firm, which acts as the Data Controller in respect of the medical records they upload. The vast majority of personal data we handle — including all medical records, case data, and client information — is processed strictly under the instructions of the Data Controller.

As Data Processor for medical records and case data, we:

• Process personal data only on the documented instructions of the Data Controller (the instructing law firm)
• Process data strictly for the purpose of medical record review and AI-assisted legal analysis
• Do not use personal data for any purpose beyond that which the Data Controller has authorised
• Assist the Data Controller in meeting their own obligations to data subjects under UK GDPR

We enter into a formal Data Processing Agreement (DPA) with all client organisations before any processing of personal data commences. These agreements set out the scope of processing, security obligations, sub-processor arrangements, and each party's responsibilities.

In a limited capacity, we also act as a Data Controller for certain operational data where we determine the purposes and means of processing. This includes:

• User account information (names, email addresses, and roles) necessary to operate the platform
• Billing and payment data processed via GoCardless
• Audit and security logs generated by the platform
• Website usage data and cookies
• Support and correspondence records

For this operational data, we comply with all Data Controller obligations under UK GDPR, including maintaining a lawful basis for processing, respecting data subject rights, and applying appropriate security measures.

Data Protection Policy Framework

Goals of Our Data Protection Approach

Our data protection objectives align with both legal requirements and our commitment to ethical data handling:

• Transparency: Ensure clear communication about how we process personal data
• Minimisation: Collect and process only the data necessary for legitimate business purposes
• Security: Implement robust technical and organisational measures to protect personal data
• Accountability: Demonstrate compliance through comprehensive documentation and regular reviews
• Individual Rights: Respect and facilitate the exercise of data subject rights
• Continuous Improvement: Regularly assess and enhance our data protection practices

Security Policy and Responsibilities

Data Protection Leadership:

• Mohammed Amir Elahi serves as Director and Data Protection Officer, with overall responsibility for data protection strategy and compliance
• All employees receive regular data protection training through webinars and workshops
• Commitment to continuous improvement of our data protection management system

Key Responsibilities:

• Data Protection Officer: Oversees policy compliance, conducts annual reviews, and manages Data Protection Impact Assessments (DPIAs)
• Engineering Team: Implements technical safeguards, maintains audit logs, and ensures secure data handling
• All Staff: Undergo mandatory data protection training and follow established procedures

Legal Framework

Our data protection practices comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Relevant provisions of the Data (Use and Access) Act 2025
• Industry best practices for AI and technology companies

What Information We Collect, Use, and Why

We collect or use the following information to provide AI-integrated software services and solutions:

• Names and contact details
• Addresses
• Date of birth
• Health information (including dietary requirements, allergies, and health conditions)
• Health and safety information
• Website user information (including user journeys and cookie tracking)

We also collect or use the following special category information to provide services and goods, including delivery. This information is subject to additional protection due to its sensitive nature:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Genetic information
• Health information
• Sex life information
• Sexual orientation information

Lawful Bases and Data Protection Rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. Which lawful basis we rely on may affect your data protection rights.

Your Data Protection Rights

• Your right of access — You have the right to ask us for copies of your personal information and request details about where we get personal information from and who we share it with
• Your right to rectification — You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete
• Your right to erasure — You have the right to ask us to delete your personal information
• Your right to restriction of processing — You have the right to ask us to limit how we can use your personal information
• Your right to object to processing — You have the right to object to the processing of your personal data
• Your right to data portability — You have the right to ask that we transfer the personal information you gave us to another organisation, or to you
• Your right to withdraw consent — When we use consent as our lawful basis you have the right to withdraw your consent at any time

If you make a request, we must respond to you without undue delay and in any event within one month.

Our Lawful Bases

Consent — We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.

Legitimate Interests — We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. Our legitimate interests include:

• Providing efficient AI-integrated software solutions that accelerate business processes
• Ensuring accurate and secure data processing through our technological infrastructure
• Meeting our professional obligations to clients while maintaining data security
• Improving our services through aggregated, anonymised analytics
• Protecting against fraud and ensuring system security

Special Category Data — Where we process special category data (including health data contained in medical records), we rely on Article 9(2)(f) UK GDPR — processing is necessary for the establishment, exercise, or defence of legal claims. Additionally, we satisfy the requirements of Schedule 1, Part 2 of the Data Protection Act 2018. An Appropriate Policy Document is maintained as required.

Technical and Organisational Measures (TOM)

We implement comprehensive security measures based on Article 32 UK GDPR. The measures below reflect the actual technical controls deployed in the Reawoken platform.

Encryption

• In transit: TLS 1.2 and TLS 1.3 enforced for all connections; no unencrypted HTTP permitted
• At rest: AES-256 encryption applied to all stored documents and database contents
• Database servers: Full-disk encryption using LUKS2 on all database server volumes
• Backups: All backup files are encrypted before transfer and at the storage destination
• Encryption keys are managed independently from the encrypted data
• Pseudonymisation techniques are applied where technically feasible. However, pseudonymisation is not applied to medical record content sent for AI analysis, as clinical context dependencies — including patient names, dates, and medical history — are essential for accurate medical chronology analysis. This limitation is documented in our International Transfer Impact Assessment.

Access and Authorisation

• Multi-factor authentication (MFA) enforced for all user accounts without exception
• Role-based access control (RBAC) with three defined roles: Admin, Solicitor, and Paralegal — each with scoped permissions aligned to their responsibilities
• User approval workflow: New user registrations are placed in a PENDING state and require explicit administrator approval before access is granted
• Session timeouts: 4-hour inactivity timeout and a 12-hour absolute session timeout, after which re-authentication is required
• Secure cookies: Session tokens stored in httpOnly, sameSite strict, and secure cookies to prevent cross-site scripting and cross-site request forgery
• API key management: API keys issued with a 90-day rotation advisory; keys can be revoked immediately
• Regular access reviews to remove stale or excess permissions

Network and Infrastructure

• Default-deny firewall rules: All inbound traffic is blocked unless explicitly permitted
• Rate limiting applied to all API endpoints to prevent abuse and denial-of-service
• Brute-force protection: Automatic account lockout triggered after repeated failed authentication attempts
• Security headers: HTTP Strict Transport Security (HSTS), Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options enforced on all responses
• Reverse proxy isolation: Backend services are not directly internet-accessible; all traffic passes through a hardened reverse proxy

Upload Security

• Malware scanning: All uploaded files are scanned for malware before processing. The platform operates on a fail-closed basis — uploads are rejected if the scan cannot be completed
• File type validation: File types are verified using magic byte inspection and MIME type checking, not solely file extension
• Path traversal prevention: Server-side controls prevent directory traversal attacks
• Maximum upload size: 350 MB per upload, enforced at both the application and infrastructure layers

Monitoring and Detection

• Error monitoring: Real-time application error monitoring and alerting via Sentry, enabling rapid response to anomalies
• Structured audit logging: Comprehensive audit logs capture login attempts, data access events, exports, file operations, and permission changes
• Tamper-evident logs: Audit log entries are protected with SHA-256 checksums to detect unauthorised modification
• Log sanitisation: Personally identifiable information (PII) is automatically redacted from application logs; medical data never appears in plaintext logs

Development Security

• CI/CD pipeline security: Automated pipeline incorporates dependency scanning, Static Application Security Testing (SAST), container image scanning, and frontend security audits on every deployment
• Dependency management: Weekly automated dependency scanning via GitHub Dependabot; vulnerabilities triaged and patched promptly
• Input validation: All user inputs are validated server-side; AI prompt injection detection is applied to inputs passed to AI models

Data Integrity and Availability

• Automated backups: Daily automated backups to encrypted AWS S3 (eu-west-2, London) with a 30-day rolling retention window
• Backup verification: Backup integrity is verified automatically; restore tests are conducted periodically
• Server snapshots: Infrastructure snapshots taken to support point-in-time recovery
• Disaster recovery: Documented Disaster Recovery Plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
• Service resilience: Automatic service restart on failure, with health-check monitoring

Organisational Measures

Data Protection by Design and Default:

• Privacy-focused system architecture with data minimisation at every layer
• Zero caching by external AI providers unless specifically configured
• Regular security assessments and updates

Training and Awareness:

• Mandatory data protection training for all staff
• Regular workshops and webinars on data protection best practices
• Ongoing awareness campaigns about data protection responsibilities

Formal Policies: The following formal policy documents are maintained and are available to clients on request:

• Information Security Policy (ISP) — sets out our technical and organisational security standards
• Disaster Recovery Plan — documents our recovery procedures with a Recovery Time Objective (RTO) of 24 hours and a Recovery Point Objective (RPO) of 24 hours
• Service Level Agreement (SLA) — commits to a 99.5% platform uptime target and defines response times for support and incident management
• International Transfer Impact Assessment (ITIA) — evaluates the legal framework and practical risks associated with each international transfer of personal data

Multi-Tenancy and Data Isolation

The Reawoken platform is a multi-tenant system serving multiple law firms. Data isolation is enforced at the architecture level:

• Organisation-based isolation: All records — cases, documents, reviews, and user accounts — are tagged with a unique organisation identifier at the point of creation
• Automatic query filtering: All database queries are automatically filtered by organisation membership; it is not possible to retrieve records belonging to a different organisation through the application layer
• No cross-organisation access: There is no technical path within the application that would permit one organisation's data to be accessed by another
• User approval workflow: New user accounts are created in a PENDING state and must be explicitly approved by an administrator within the correct organisation before the account is activated. This prevents unauthorised access resulting from registration errors

Artificial Intelligence and Data Processing

How AI Is Used

The Reawoken platform uses two AI systems for medical record analysis:

• Google Gemini — used for personal injury medical record analysis (RTA, Employers Liability, Occupiers Liability, Public Liability cases)
• OpenAI GPT — used for noise-induced hearing loss (NIHL) claim analysis, working in conjunction with our keyword detection and verification pipeline

Data Protection in AI Processing

• No training on client data: Enterprise API agreements are in place with both Google and OpenAI. Personal data submitted via the API is not used for model training, fine-tuning, or improvement
• Transient processing: Medical records are processed in real time and immediately discarded; they are not permanently retained by AI providers beyond the contractual terms below
• Google Cloud Data Processing Addendum (CDPA) applies to all data processed via Google Gemini
• OpenAI Data Processing Agreement (DPA) applies to all data processed via OpenAI GPT models
• Both AI providers act as sub-processors under our Data Processing Agreements with client organisations

AI Data Retention

• Google Gemini: Zero data retention — no data is stored by Google after the API call completes
• OpenAI GPT: Maximum 30 days for abuse monitoring purposes, after which data is permanently and irreversibly deleted. OpenAI does not use this data for model training. Note: A Zero Data Retention (ZDR) application has been submitted to OpenAI. Upon approval, this will reduce the maximum retention period from 30 days to zero for all API interactions.

Where We Get Personal Information From

• Directly from you
• Legal and judicial sector organisations
• Business partners and clients (in the course of providing AI software solutions)

How Long We Keep Information

Retention Principles

We keep data only as long as one of the following continues to apply:

• The business purpose for which it was collected remains valid
• Legal or regulatory requirements mandate retention
• Legitimate interests require continued processing
• Contractual obligations necessitate retention

Retention Schedule

Periodic reviews are conducted annually to ensure compliance with retention schedules.

Who We Share Information With

Sub-Processors

We engage the following sub-processors. Data Processing Agreements are in place with each provider. Transfers outside the UK are subject to appropriate safeguards as described in the International Transfers section below.

Others We Share Information With

• Health care providers (where relevant to service delivery)
• Professional or legal advisors
• Business partners (only where necessary for service delivery)

Data Storage Locations

The following table summarises where data is physically stored:

• Documents (medical records): AWS S3 eu-west-2 — London, United Kingdom
• Database (cases, users, reviews): UK/EU data centres hosted by Contabo
• Backups: AWS S3 eu-west-2, encrypted at rest
• AI processing: May involve US-based servers for Google Gemini and OpenAI GPT processing; see the International Transfers section for safeguards in place

Data Subject Rights and Early Deletion

Data subjects may request erasure under Article 17 UK GDPR. Where the business purpose no longer exists, we will expedite secure deletion within 30 days while notifying all sub-processors.

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for:

• New AI processing activities involving personal data
• Changes to existing processing that may increase privacy risks
• High-risk processing activities as defined by UK GDPR

Incident Response Management

Our incident response procedures include:

• Immediate containment and assessment
• Risk evaluation and impact analysis
• Notification to relevant authorities within 72 hours where required
• Communication to affected individuals where high risk is identified
• Post-incident review and system improvements
• Structured audit logging enables rapid incident investigation and timeline reconstruction
• Real-time monitoring and automated alerting via Sentry ensures incidents are identified promptly
• Automated brute-force detection and account lockout to contain credential-based attacks
• All security incidents are logged with timestamps, actions taken, and resolution details to support regulatory reporting and post-incident review

International Transfers

We take a data-residency-first approach. The following summarises where data does and does not cross UK borders:

• Documents and database backups remain in the United Kingdom — stored on AWS S3 eu-west-2 (London) and Contabo UK/EU infrastructure
• AI processing may involve US-based servers — Google Gemini and OpenAI GPT are US-based services. When medical record text is sent for AI analysis, it may be processed on US infrastructure

The following safeguards are in place for all international transfers:

• Google — UK–US Data Privacy Framework (Data Bridge): Google LLC is a verified participant in the UK–US Data Privacy Framework. The UK Extension to the EU–US Data Privacy Framework (the “Data Bridge”) provides an adequacy-based transfer mechanism recognised under UK GDPR. DPF certification verified: 9 March 2026.
• OpenAI — Standard Contractual Clauses: OpenAI is confirmed as not listed on the Data Privacy Framework. Transfers to OpenAI rely on Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum as required under UK GDPR. Additional technical safeguards are applied, including TLS encryption in transit and contractual prohibition on use of data for model training.
• TLS encryption for all data in transit, regardless of destination
• AI data is transient — medical records sent to AI providers are processed in real time and not permanently retained (see AI Data Retention above)

A formal International Transfer Impact Assessment (ITIA) is maintained and reviewed annually. This assessment evaluates the legal framework and practical risks associated with each international transfer, including an analysis of the legal environment in the destination country and the likelihood of government access to personal data.

How to Complain

If you have concerns about our use of your personal data, contact us using the details above.

If you remain unhappy after raising a complaint with us, you can complain to the ICO:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Policy Review and Updates

This notice is reviewed at least annually or sooner if:

• Underlying law changes
• New data types or processing activities are introduced
• Audit findings or security incidents warrant revision
• Significant changes to our business operations occur