DocPolish is architected around the regulatory frameworks that govern your sector. Every design decision reflects the standards your compliance team expects to see.
built to the standard · not bolted on after
These principles are embedded in the DocPolish processing pipeline, not layered on top.
Clinical Entity Recognition (CER) detects and anonymises personally identifiable information before any data leaves the user's browser for cloud processing. Only anonymised text is transmitted. Original PII never reaches the polishing engine.
Document content is processed exclusively for the purpose of linguistic refinement. No data is retained after processing, used for model training, shared with third parties or repurposed for analytics beyond the immediate polishing task.
Every processed document receives a Trust Certificate with a unique cryptographic hash, processing metadata, and entity restoration verification. This creates an auditable record that compliance teams can reference.
The X-Ray CER overlay allows users to inspect exactly which entities were detected, anonymised and restored. The full processing pipeline is visible through the real-time systems panel — no black-box operations.
Users review and approve payloads before cloud transmission via the Payload Review modal. Processing stages, entity counts and character metrics are displayed for informed consent. Nothing is sent without explicit approval.
Browser-side CER processing ensures sensitive data handling occurs in the user's own environment. The local inference architecture means PII classification happens without network transmission, aligning with zero-trust data handling principles.
These regulations apply to all sectors DocPolish serves. Our architecture addresses each framework's core requirements.
The UK GDPR establishes the foundational data protection framework. The Data (Use and Access) Act 2025, which received Royal Assent in June 2025, amends certain provisions including automated decision-making rules and introduces a recognised legitimate interest basis for specified processing activities.
The EU AI Act introduces a risk-based regulatory framework for AI systems. General-purpose AI provisions became effective August 2025. Full high-risk obligations apply from August 2026. Applies to UK firms serving EU customers or processing EU resident data.
The ICO provides detailed guidance on applying UK GDPR principles to AI systems, covering lawfulness, fairness, transparency, and accountability. The ICO's enforcement priorities for 2026 include AI decision-making, particularly where it affects individuals.
The UK is updating its network and information systems regulations through the Cyber Security and Resilience Bill, expanding scope and incident reporting obligations. Organisations processing sensitive data are expected to demonstrate resilient security architectures.
Select your sector to see the specific regulatory frameworks DocPolish is designed to support.
Insurance firms operate under dual regulatory oversight from the FCA (conduct) and PRA (prudential), with Lloyd's entities subject to additional governance requirements. Document handling in this sector must satisfy data protection obligations alongside sector-specific conduct rules, particularly under the Consumer Duty framework introduced in 2023 and simplified in December 2025 through PS25/21.
| Regulation / Standard | Authority | Relevance to Document Processing | DocPolish Alignment |
|---|---|---|---|
| FCA SYSC Rules Senior Management Arrangements, Systems and Controls |
FCA | Requires secure data storage, access controls and audit trails. Firms must maintain sound risk management frameworks including oversight of data-related risks. SYSC 3 and SYSC 10 apply to governance of information handling. | Architecturally aligned — audit trail via Trust Certificate, no persistent data storage eliminates retention risk |
| FCA Consumer Duty PS22/9 · simplified via PS25/21 (Dec 2025) |
FCA | Requires firms to deliver good outcomes for retail customers. Documentation standards must support clear communication. FCA reviewing application to non-UK customers in Q2 2026. | Aligned — DocPolish improves clarity and professionalism of customer-facing documents |
| FCA Principle 11 Relations with Regulators |
FCA | Firms must disclose anything the FCA would reasonably expect to know, requiring strong data lineage and reporting traceability. | Designed for — Trust Certificate provides processing lineage and integrity hash |
| Lloyd's Minimum Standards Coverholder Reporting Standards v5.2+ |
Lloyd's | Lloyd's data governance adds a third compliance layer beyond FCA/PRA. Policyholder data subject to GDPR, DPA 2018 and insurance-specific regulations. Documentation must meet ACORD data standards. | Aligned — CER anonymisation protects policyholder PII; no data retained post-processing |
| Solvency II (UK) Directive 2009/138/EC, transposed to UK law · PRA reforms 2024 |
PRA | Operational risk management including data handling, systems controls and reporting obligations. PRA consulting on reforms throughout 2024–2025. | Designed for — zero-retention architecture reduces operational data risk |
Law firms and legal practitioners operate under the SRA Standards and Regulations (2019, updated), with professional obligations around client confidentiality, privilege protection and information security. The SRA received over 2,300 reports of data breaches and cyber security incidents in 2025, making document handling a critical compliance area.
| Regulation / Standard | Authority | Relevance to Document Processing | DocPolish Alignment |
|---|---|---|---|
| SRA Standards and Regulations Code of Conduct for Firms · Code of Conduct for Solicitors |
SRA | Seven SRA Principles require firms to act with integrity, uphold public trust and maintain proper administration of justice. Data handling must protect client confidentiality. COLPs must have authority to escalate compliance concerns. | Architecturally aligned — client data anonymised before cloud processing protects confidentiality obligations |
| Legal Professional Privilege Common law · Legal Services Act 2007 |
Courts / SRA | Privileged communications between solicitor and client must be protected from disclosure. Document processing must not compromise privilege status through data exposure to third parties. | Aligned — CER anonymisation strips identifying content before cloud transmission; privilege-sensitive content never reaches external servers in identifiable form |
| SRA Cyber Security Guidance Updated September 2025 (AI guidance) · January 2026 (remote working) |
SRA | Firms must take a "prevent, detect, and respond" approach to cyber threats. Cloud service providers must meet specific requirements (March 2025 update). AI use in legal practices has specific guidance (September 2025). | Designed for — browser-side processing minimises cloud exposure; no persistent data storage eliminates breach surface for stored documents |
| Equality Act 2010 Protected characteristics · Anti-discrimination |
EHRC | Relevant where AI processing could introduce bias based on protected characteristics. The ICO notes this intersects with data protection fairness obligations for any AI system processing personal data. | Designed for — DocPolish refines language quality, not content decisions; CER entity detection is pattern-based, not predictive |
| SRA Transparency Rules Price, service and complaint transparency |
SRA | Firms must be transparent about services and pricing. Documents prepared for clients must meet standards of clarity and professionalism. | Aligned — DocPolish improves document clarity; sector-specific polishing calibrated for legal communication standards |
Healthcare organisations operate under some of the most stringent data protection requirements in the UK. The NHS Data Security and Protection Toolkit (DSPT) Version 8, published for 2025–26, must be completed by 30 June 2026. The eight Caldicott Principles govern all handling of patient confidential information. The European Health Data Space (EHDS) phased implementation began March 2026.
| Regulation / Standard | Authority | Relevance to Document Processing | DocPolish Alignment |
|---|---|---|---|
| NHS Data Security and Protection Toolkit (DSPT) Version 8 · 2025–26 cycle · Deadline 30 June 2026 |
NHS England | Mandatory self-assessment for all organisations accessing NHS patient data and systems. V8 introduces updated outcomes, assertions and evidence items. Aligned with NCSC Cyber Assessment Framework v3.4. Covers 10 National Data Guardian security standards across people, process and technology. | Designed for — zero-retention processing, browser-side PII handling, Trust Certificate audit trail support DSPT evidence requirements |
| Caldicott Principles Eight principles · Caldicott Guardian oversight |
NHS England / National Data Guardian | Eight principles governing use of patient confidential information: justify purpose, use only when necessary, use minimum necessary, access on need-to-know basis, awareness of responsibilities, comply with law, duty to share for individual care, and inform expectations of use. | Architecturally aligned — CER anonymisation satisfies "minimum necessary" principle; purpose-limited processing; no data sharing beyond immediate polishing task |
| GMC Confidentiality Guidance Good Medical Practice · Confidentiality: good practice in handling patient information |
GMC | Doctors must keep patient information confidential, only disclosing with consent or where required by law. Medical documents containing patient data must be handled with appropriate safeguards. | Aligned — patient identifiers anonymised before cloud processing; medical terminology preserved through sector-specific CER rules |
| UK GDPR Article 9 Special Category Data — health data |
ICO | Health data is classified as special category data requiring additional protections and a specific condition for processing under Article 9, alongside a lawful basis under Article 6. Higher standards apply throughout the processing lifecycle. | Aligned — CER specifically targets and anonymises clinical entities (patient names, NHS numbers, dates of birth, medication names, diagnoses) before any cloud transmission |
| European Health Data Space (EHDS) Phased implementation from March 2026 |
European Commission | Introduces obligations for interoperability, access controls and detailed logging of electronic health records. Relevant for UK organisations processing EU patient data or supplying to EU healthcare providers. | Designed for — processing transparency and audit logging through Trust Certificate; no data retention supports access control requirements |
Financial services firms are dual-regulated by the FCA and PRA with extensive data governance requirements under SYSC, MiFID II record-keeping obligations and operational resilience expectations. The FCA oversees approximately 42,000 businesses and continues to tighten enforcement around data handling and AI use in 2026.
| Regulation / Standard | Authority | Relevance to Document Processing | DocPolish Alignment |
|---|---|---|---|
| FCA SYSC Sourcebook Senior Management Arrangements, Systems and Controls |
FCA | Requires firms to maintain sound risk management frameworks, secure data storage, access controls and comprehensive audit trails. Senior leaders are accountable for data-related risks and governance. | Architecturally aligned — Trust Certificate provides audit trail; zero-retention architecture eliminates data storage risk; Payload Review supports informed oversight |
| MiFID II Record-Keeping Markets in Financial Instruments Directive II |
FCA / EU | Extensive record-keeping obligations for communications and documentation. Firms must maintain auditable records of client interactions and document any processing applied to regulated communications. | Designed for — Trust Certificate hash provides before/after integrity verification; processing metadata logged for audit purposes |
| FCA Operational Resilience PS21/3 · Important business services |
FCA / PRA | Firms must identify important business services, set impact tolerances and remain within tolerance during severe but plausible disruption scenarios. Document processing tools used in critical business services must demonstrate resilience. | Designed for — stateless processing architecture means no dependency on stored data; browser-side CER operates without network dependency for PII detection |
| FCA Consumer Duty PS22/9 · Consumer understanding outcome |
FCA | Consumer understanding outcome requires clear and effective communications. Documentation must support consumers making informed decisions. This is relevant to any tool improving client-facing financial communications. | Aligned — sector-specific polishing calibrated for financial communication standards; improves clarity and readability of client-facing documents |
| PCI DSS Payment Card Industry Data Security Standard v4.0 |
PCI SSC | Applies where document content contains or references payment card data. Requires protection of cardholder data throughout processing lifecycle. | Aligned — CER entity detection includes financial identifiers (account numbers, sort codes); anonymisation prevents cardholder data transmission |
Academic institutions handle sensitive research data, student records and collaborative documents under GDPR, institutional ethics frameworks and research integrity standards. Universities increasingly require AI transparency in academic work while needing tools that protect research participant confidentiality.
| Regulation / Standard | Authority | Relevance to Document Processing | DocPolish Alignment |
|---|---|---|---|
| UK GDPR — Research Provisions DUAA 2025 — Research, Archiving and Statistical (RAS) purposes |
ICO | The DUAA 2025 establishes that further processing for RAS purposes is automatically compatible with original collection purpose, subject to appropriate safeguards including pseudonymisation. Processing must not be used to make decisions about specific individuals or cause substantial damage or distress. | Aligned — CER pseudonymisation satisfies safeguard requirements; DocPolish does not make decisions about individuals; purpose-limited to linguistic refinement only |
| Research Ethics Frameworks UKRI / institutional ethics committees |
UKRI / Universities | Research involving human participants requires ethics approval. Research documents containing participant data must be handled with appropriate confidentiality safeguards and anonymisation protocols. | Aligned — CER anonymisation protects research participant identifiers; browser-side processing prevents participant data exposure to cloud services |
| Academic Integrity Standards QAA Quality Code · Institutional AI policies |
QAA / Universities | Institutions are developing policies on acceptable AI use in academic work. Distinction emerging between AI as a drafting tool (generally acceptable) and AI as content generator (generally restricted). Transparency about AI use increasingly required. | Designed for — DocPolish refines existing human-authored text rather than generating content; Trust Certificate documents the processing applied, supporting AI transparency requirements |
| HESA Data Collection Higher Education Statistics Agency · Student data |
HESA / OfS | Student data handling subject to specific collection and processing standards. Documents containing student records require appropriate safeguards. | Aligned — student identifiers anonymised via CER before cloud processing; no student data retained |
How DocPolish's processing pipeline satisfies data protection requirements at each stage.
Clinical Entity Recognition scans uploaded documents locally in the user's browser. PII including names, dates of birth, NHS numbers, account numbers, addresses and other identifiable information is detected using pattern matching and sector-specific entity rules.
Detected entities are replaced with coded placeholders before any data leaves the browser. The mapping between original values and placeholders is held exclusively in browser memory — never transmitted or stored externally.
The anonymised payload is displayed for user inspection via the Payload Review modal. Users can verify entity detection, review character counts and processing metrics, and must explicitly approve before transmission. The X-Ray CER overlay enables detailed entity inspection.
Only the anonymised, approved payload is transmitted via HTTPS to the polishing engine. The cloud service receives text with coded placeholders — never original PII. Processing occurs statelessly with no data retention after response delivery.
The polished text is received back in the browser where original entities are restored from the locally-held mapping. Restoration integrity is verified — the systems panel confirms successful placeholder-to-entity restoration for every detected entity.
A Trust Certificate is generated containing a unique cryptographic hash of the processed document, processing metadata, entity counts, sector classification and verification status. This provides an auditable compliance artefact that can be presented to regulators, compliance teams or auditors.
The information on this page describes DocPolish's architectural design in relation to applicable regulatory frameworks. It does not constitute legal advice, and should not be relied upon as a substitute for professional regulatory guidance specific to your organisation's circumstances. Regulatory landscapes evolve — the frameworks referenced here reflect the position as at February 2026. Organisations operating in regulated sectors should seek independent advice on their specific compliance obligations.
DocPolish is not a regulated financial services provider, law firm, or healthcare provider. Our compliance alignment relates to data handling architecture, not the provision of regulated services.
Last reviewed: February 2026 · Next scheduled review: When material regulatory changes occur
Upload a document and watch the CER entity detection, anonymisation and Trust Certificate generation work in real time.
Try DocPolish