The rules we operate under.

The lawful-basis regime that governs all personal data processing in the UK post-Brexit, including biometric voice data (Article 9 special category). Customers using DeepBlocker need a documented lawful basis — typically Article 6(1)(f) legitimate interests for fraud prevention, with a balancing test.

Direct marketing and unsolicited communications rules. Relevant when DeepBlocker is deployed in front of contact-centre or outbound flows. Recording itself is not direct marketing, but adjacent processes are.

For financial-services customers: the cross-cutting duty to deliver good outcomes and avoid foreseeable harm. A documented voice-fraud defence is increasingly read as a foreseeable-harm mitigation.

Security and incident-reporting duties for operators of essential services and digital service providers. The 2025 Cyber Security and Resilience Bill expands scope (MSPs, data centres). DORA (EU) applies extraterritorially to UK firms serving EU financial entities.

Interception by third parties without lawful authority is unlawful. DeepBlocker is deployed by the line-owner on their own traffic — it is not a third-party intercept, and is not a lawful-intercept product.

Background statutes that constrain how AI systems are built and used in the UK. We design defaults so a customer using DeepBlocker doesn't inadvertently breach any of them.

Most DeepBlocker customers rely on legitimate interests for fraud prevention. If voice is processed for speaker identification (biometric), an additional Article 9 condition is needed — most commonly substantial public interest (DPA 2018 Sch 1 Part 2 §10, preventing/detecting unlawful acts).

Callers must be made aware that calls may be recorded and screened. DeepBlocker does not replace that notice — your IVR / call greeting still has to disclose it. Employees being recorded need a DPIA and a privacy notice update.

Consent rules for automated calls, recorded voice messages, and SMS. Outside our typical scope (we screen inbound), but relevant for Red Team simulation campaigns — those must be against your own staff with appropriate notice, never against external numbers without consent.

ICO expects recording-specific retention schedules. DeepBlocker stores per-call audit data (score, verdict, transcript) under per-tenant retention you configure. Defaults are deletion-aware; data-residency on request.

If your contact list includes US numbers, federal Telephone Consumer Protection Act rules apply: prior express written consent for autodialled or pre-recorded calls. The Red Team product enforces TCPA validation on contact lists by design.

DeepBlocker is operated by the line-owner on their own number. It is not a third-party interception product. We do not provide lawful-intercept capability to law enforcement.

A decision based solely on automated processing with legal or similarly significant effect needs a specific legal route (consent, contract necessity, or law) and meaningful human review. DeepBlocker's three-band design — REAL / UNCERTAIN / FAKE — exists in large part to route UNCERTAIN to human review by default, so the FAKE auto-terminate decision is the buyer's deliberate choice, not silent.

Safety/security/robustness, transparency/explainability, fairness, accountability/governance, contestability/redress. We publish a model card (see /model-card) covering the first four; contestability is the customer's appeal flow.

Voice biometric identification / biometric categorisation can fall under high-risk obligations (risk management, data governance, technical documentation, human oversight, accuracy, robustness, cybersecurity). If you process EU subjects' voice, this applies even if you're a UK firm.

DPIA expected, accuracy testing documented, statistical-bias evaluation required. Our locked Reporting set (SHA-256 pinned, per-source breakdown) is the auditable basis our model card cites.

AI systems must not produce indirectly discriminatory outcomes against protected characteristics (e.g. systematic accent or demographic disparity). The per-source breakdown in the model card lets a procurement team check that English / Common Voice / LibriSpeech sources all sit safely inside the REAL band.

Voluntary UK baseline for securing AI systems — supply-chain assurance, secure development, model integrity. We follow the principles; ask for our position statement under NDA.

The international ISMS baseline — Annex A controls (organisational, people, physical, technological). Our internal control mapping is available under NDA for procurement due-diligence.

The first international standard specifically for AI management. It picks up where 27001 stops — model governance, AI risk management, intended-use scoping. We track 42001 as we mature.

AICPA trust services criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy. The reference framework for B2B SaaS vendor assurance in the UK as well as the US. We design controls to be SOC 2-auditable.

UK Government baseline (firewalls, secure config, access control, malware protection, patch management). The minimum bar to bid on most UK public-sector contracts.

Data in transit / at rest, supply-chain security, secure operations, secure user management, identity and authentication, external interface protection, secure service administration, audit information, secure service use. Our hosting (Modal / Railway) and operating model follow these principles.

Security duties for operators of essential services. Voice-fraud defence in a regulated sector (banking, telco) sits inside this perimeter. DORA (EU 2022/2554) extends similar duties to UK firms serving EU financial entities.

For financial-services buyers: outsourcing and operational resilience rules covering exit plans, sub-processor disclosure, audit rights, and incident reporting. Our enterprise contracts include the SYSC-aligned schedule.

Single sign-on (SAML / OIDC) supported; least-privilege defaults; per-tenant data isolation; audit logging on every operator action. Hardware-token MFA recommended for any operator role with deletion or export rights.