SAX AI Limited — GDPR & AI Compliance Trust Center.
SAX AI Limited is a UK-based company that provides technology to automate Know Your Business (KYB) workflows for investment banks in the UK and is committed to maintaining a high standard of privacy, security, and regulatory accountability under the UK GDPR.
This Trust Center describes the governance, technical, and organisational measures used to support compliance with UK data protection law and the EU AI Act as a limited-risk AI deployer, with controls aligned to our ISO 27001:2022 Certificate and privacy governance practices associated with it.
Compliance Position
SAX AI Limited demonstrates its compliance posture through a combination of certified information security controls, maintained GDPR documentation, and active management governance. ISO 27001:2022 does not by itself prove GDPR compliance, but it provides a recognised control framework that supports GDPR Article 32 obligations on security of processing and broader accountability measures when combined with privacy-specific documentation and governance.
Information Security Framework
SAX AI Limited relies on its ISO 27001:2022-certified Information Security Management System (ISMS) as the foundation for the secure provision of its KYB automation services. The ISMS covers relevant assets, technologies, operational processes, risk assessment, access control, monitoring, and audit activities needed to support secure delivery for investment bank customers in the UK.
The scope of Sax AI Limited's ISMS includes the assets, technologies and processes for the secure provision to automate the KYB (Know Your Business) for investment banks in the UK. Additionally, the scope is defined with consideration of the external and internal context of the organization, requirements of interested parties, such as customers and regulatory bodies, and boundaries with third parties.
The certification model also supports continuous improvement through periodic surveillance and management review cycles rather than a one-off compliance exercise. This is important in the GDPR context because security of processing must remain appropriate to risk over time, not only at implementation.
GDPR Documentation
SAX AI Limited maintains curated GDPR compliance documentation designed to support transparency, accountability, and operational readiness. The documentation set is intended to go beyond a minimal paperwork approach by creating a structured evidence base that can be used internally, in customer due diligence, and during audits.
The principal documentation maintained includes the following:
Governance and Management Oversight
Top management involvement is a central part of SAX AI Limited's compliance model. Management commitment is evidenced through quarterly ISMS management reviews, quarterly access reviews, maintenance of a dedicated DPO function, and budget allocation.
Quarterly access reviews are used to confirm that vendor access, documentation hygiene, and deletion practices remain up to date and proportionate to business needs. This supports both ISO control effectiveness and GDPR principles such as integrity, confidentiality, and storage limitation.
ISMS management reviews
Access reviews
Dedicated DPO function
Budget allocation
Data Protection Governance
SAX AI Limited maintains a dedicated DPO function as part of its privacy governance structure. The DPO function supports monitoring, internal advice, documentation review, and data subject rights processes in line with UK GDPR governance expectations.
Where SAX AI Limited acts as a controller, it applies documented retention, rights-handling, and accountability measures. Where it acts as a processor for customer data in the KYB environment, it supports contractual commitments through DPA terms, documented subprocessors, and internal security controls.
AI Governance and EU AI Act Position
SAX AI Limited's AI compliance position is based on its classification as a limited-risk AI deployer rather than a provider of prohibited or high-risk AI systems within the meaning described in the user's documented compliance position. On that basis, the company focuses on transparency obligations, human oversight in escalated cases, and maintenance of internal technical documentation describing architecture and data flows.
This includes disclosure that AI is used in relevant workflows, escalation paths for complex or sensitive queries requiring human review, and retention of technical documentation in internal repositories. This approach is consistent with the broader expectation that limited-risk systems still require organisational controls, even where the highest AI Act obligations do not apply.
Security and Privacy Evidence
SAX AI Limited keeps evidence of its compliance posture in a centralised repository through Vanta, allowing documentation, approvals, and supporting records to be managed in one place. This supports audit readiness and gives customers a clearer evidential basis for vendor due diligence than relying only on policy statements.
The evidence base includes governance records, security documentation, privacy documentation, and process artefacts used to demonstrate operational compliance. In practice, this helps link policy commitments to actual implementation and review.
Customer Assurance Position
For customer and partner diligence, SAX AI Limited justifies its GDPR and EU AI Act compliance by combining certified security controls, maintained privacy documentation, and management-led governance. This combined position is stronger than relying on ISO 27001 alone, because it adds processor/controller documentation, rights procedures, subprocessor transparency, and AI governance measures specific to the service context.
Customers may therefore understand the SAX AI compliance model as having three core pillars:
ISO 27001:2022 certification
As the foundational security framework for the KYB service.
Updated GDPR compliance documentation
Maintained as a structured accountability set.
Active governance
Through DPO support, management review, access review, and compliance tooling.
Upon request, SAX can provide our customers with periodic evidence of our data protection and information security compliance. These documents are shared under appropriate confidentiality terms and are intended to support your due diligence and vendor-risk-assessment processes.
Available evidence may include:
Periodic Data Access Review records
Summarised minutes or structured reports from our internal Data Access Reviews, showing how access to personal and sensitive data is periodically reviewed, adjusted, and revoked for relevant roles and systems.
Data retention and deletion reports (summary level)
Periodic, anonymised summaries of data-retention and deletion activities, indicating which categories of data were subject to retention or deletion during the reporting period, without disclosing individual records.
ISO/IEC 27001:2022 certification
Copy of our current ISO 27001 certificate and, where applicable, a high-level summary of the scope and controls included within our ISMS.
Privacy and security policy framework
Overview of our core policies (e.g., Information Security Policy, Data Protection Policy, Incident Response Policy) showing how GDPR and other applicable regulations are implemented at an organisational level.
Handling Data Subject Requests
At SAX AI, privacy, transparency, and accountability are important parts of how personal data is handled. Under the UK GDPR, individuals may have certain rights in relation to their personal data, including the right to access, rectify, erase, restrict, or object to processing, and, where applicable, the right to data portability.
In most cases, SAX AI Limited acts as a data processor on behalf of its customers in connection with its KYB and related SaaS services. Where SAX AI processes personal data solely on a customer's behalf, SAX cannot respond directly to a data subject request without the relevant customer's instructions, and the request should therefore be directed to the organisation that originally collected the data.
Where SAX AI Limited acts as a data controller, for example in relation to job applicants, employees, business contacts, or certain direct interactions with its own website and operations, individuals may contact SAX directly to exercise their rights. Requests can be submitted to dpo@sax.ai, and they will be reviewed and handled in accordance with applicable data protection law and SAX's internal DSR procedure.
SAX aims to acknowledge requests promptly and to respond within the timeframes required by law. Where necessary, SAX may request reasonable proof of identity before taking action, in order to protect personal data against unauthorised disclosure.
Other Data Protection Features
Access Management
Access to systems and data is restricted on a need-to-know basis and follows the principle of least privilege. SAX uses role-based access controls, periodic access reviews, and enhanced authentication measures for privileged access to reduce the risk of unauthorised access to personal data.
Customer Data Handling
SAX is designed to limit unnecessary exposure of customer data and to support secure handling of personal data within its services. Access to customer data is restricted to authorised personnel where required for service delivery, support, security, or legal compliance, and such access is subject to internal controls and review.
Network and Application Security
SAX maintains technical and organisational measures to protect its systems and services against unauthorised access, misuse, and service disruption. These measures include security monitoring, controlled access to production environments, and protective controls appropriate to the risks associated with a SaaS environment.
Encryption and Data Protection
SAX applies encryption and related safeguards to protect personal data in transit and at rest, as appropriate to the nature of the processing and associated risks. These measures form part of SAX’s broader security and compliance framework, which is aligned with UK GDPR requirements and supported by its ISO 27001-based information security governance.