Trust & Compliance

Compliance, built into the platform.
Certifications sequenced through the pilot.

ConstructEther is architected against the standards Tier-1 contractors, RICS-regulated firms and UK public bodies require — designed-in from day one. Core certifications are sequenced against our enterprise rollout: foundation now, certified through 2027, mature through 2028. Founding Partners shape the priority.

Request the compliance pack See our standards
8
Compliance frameworks designed-in
UK / EU
Data residency, configurable per tenant
100%
Immutable audit trail on every AI call
Q1 2027
Core certifications targeted at full launch
Standards & certifications at a glance
Compliant

UK GDPR & DPA 2018

Statutory data protection. ICO-registered today.

Designed-In

Building Safety Act 2022

Golden Thread architecture for HRB work, day one.

Aligned · Targeted Q1 2027

ISO/IEC 27001:2022

Information security management. Certification through pilot.

Aligned · Targeted Q1 2027

Cyber Essentials Plus

UK Government baseline. Assessment scheduled.

Aligned

RICS Professional Standards

Workflows fit for use by RICS-regulated firms.

Aligned

UK AI Code of Practice

DSIT cyber security code for AI, mapped today.

Roadmap · Q3 2027

SOC 2 Type II

Trust Services Criteria. AICPA-aligned attestation.

Roadmap · 2028

ISO/IEC 42001

AI management system. Emerging standard.

Why this matters

Construction can't afford uncontrolled AI.

Tier-1 contractors face procurement, security and regulatory scrutiny that consumer AI tools were never designed for. Public sector frameworks demand it. The Building Safety Act mandates it. Your insurers expect it. We've built the architecture for it from day one — and we certify on the timeline that matches our enterprise rollout.

01 · Procurement

Pass the security questionnaire — at the right time.

Enterprise procurement teams will ask for ISO 27001, Cyber Essentials, GDPR posture, sub-processor lists, DPIA registers and incident response plans. We have working answers today, and certified answers landing through 2027 — sequenced against our enterprise pursuit, not promised ahead of it.

02 · Regulation

Stay on the right side of the BSA.

The Building Safety Act 2022 makes the Golden Thread non-negotiable for higher-risk buildings. Our document architecture is immutable, versioned, hashed and traceable from day one — not retrofitted. This is the only compliance posture that's live and audit-ready today.

03 · Liability

Make AI auditable, not invisible.

Every AI call is logged with the prompt, the output, the model, the user and the human approval state. RICS-regulated work needs an audit trail; ConstructEther was built for it from the start — and the trail exists today, regardless of which certifications land when.

Our standards in detail

How we comply, specifically.

Every claim below is documented in our Trust & Compliance pack, available under NDA to qualified enterprise prospects, partners and procurement teams. Where a certification is targeted, the date is when independent assessment completes — not when control design begins.

Compliant · Live
UK GDPR · DPA 2018 · EU GDPR

Data Protection & Privacy

Full compliance with UK GDPR, the Data Protection Act 2018 and EU GDPR for tenants operating in the European Economic Area. Live and operational from day one.

  • ICO registeredListed on the Information Commissioner's Office register of fee payers.
  • UK & EU data residencyConfigurable per tenant. No transfer outside the chosen region without lawful basis.
  • DPIA registerData Protection Impact Assessments maintained per feature and per AI capability.
  • Sub-processor transparencyCustomer-publishable sub-processor register; 30-day notice on material changes.
  • Subject rights SLAAccess, rectification, erasure and portability requests handled within statutory timelines.
  • Lawful AI processingTenant data is not used to train foundation models. Inference only, with retention controls.
Designed-In · Live
Building Safety Act 2022

Golden Thread Architecture

For higher-risk buildings, the Building Safety Act mandates a continuous, accurate, accessible record of design and construction information. ConstructEther's document layer was engineered for this from day one — live and operational today.

  • Immutable, versioned storageObject-locked document storage with full version history and hash verification.
  • Continuous audit trailEvery read, write, approval and AI interaction logged against the source document.
  • Structured, accessible informationDocuments indexed against the project model, retrievable by Accountable Persons on demand.
  • HRB-ready handoverDesigned to support the information requirements of the Building Safety Regulator.
Aligned · Targeted Q1 2027
ISO/IEC 27001:2022

Information Security Management

Our Information Security Management System (ISMS) is designed to the 2022 revision of ISO 27001, mapped against all 93 Annex A controls. Stage 2 certification audit targeted to complete at full launch.

  • ISMS scope & statement of applicabilityDocumented control mapping across organisational, people, physical and technological domains.
  • Risk-based control selectionContinuous risk assessment driving control implementation, review and treatment.
  • Internal audit programmeAnnual audit cycle, management review and corrective action tracking.
  • UKAS-accredited certificationStage 1 audit through the beta phase; Stage 2 certificate targeted at full launch (Q1 2027).
Aligned · Targeted Q1 2027
NCSC Cyber Essentials Plus

UK Government Cyber Baseline

Cyber Essentials Plus is the UK Government's certified baseline for cyber hygiene and an effective requirement for many public sector frameworks. Independent assessment scheduled to complete in line with full launch.

  • Boundary firewalls & secure configurationSegregated networks, default-deny posture, hardened baseline images.
  • User access controls & MFALeast-privilege by default. Multi-factor authentication enforced for all administrative access.
  • Malware protection & patch managementEndpoint protection, vulnerability scanning, defined patch SLAs.
  • Independent assessmentThird-party verification scheduled to complete with full launch, supporting public sector pursuit.
Aligned · Live
RICS Professional Standards

RICS Alignment

ConstructEther's commercial workflows are designed to be fit for use by RICS-regulated quantity surveyors and cost consultants. RICS regulates members and firms; the platform is engineered to support that regulation, not replace it.

  • NRM-compatible cost codingAligned with the RICS New Rules of Measurement for orderly cost data structure.
  • RICS billable-service markerMaterial AI outputs are flagged so members can apply professional judgement before sign-off.
  • Reliability samplingBuilt-in dip-sampling of AI outputs to evidence accuracy and support member oversight.
  • Client AI disclosure surfaceDisclosure of AI involvement embedded in deliverables, supporting RICS guidance on AI use.
Aligned · Live
DSIT · UK AI Code of Practice

AI Cyber Security & Governance

Aligned with the UK Government's Code of Practice for the Cyber Security of AI, published by the Department for Science, Innovation and Technology — and the broader principles of pro-innovation, accountable AI.

  • AI threat modellingDocumented threat model covering prompt injection, model poisoning, output manipulation and data leakage.
  • Prompt injection defencesLayered controls including input sanitisation, output validation and trust-boundary enforcement.
  • Model supply chain loggingAll foundation models and providers tracked, with version-controlled provenance.
  • Human-in-the-loop validationMaterial AI outputs require expert oversight before they leave the platform as deliverables.
  • AI risk registerPer-feature, per-tenant AI risk register reviewed on a defined cadence.
Roadmap · Type II Q3 2027
AICPA · TSP 100

SOC 2 Type I & Type II

SOC 2 is the de-facto standard for North American enterprise procurement and increasingly expected by UK Tier-1s. Type I attestation targeted at full launch (Q1 2027). Type II observation window completes Q3 2027.

  • Trust Services Criteria mappingSecurity, Availability and Confidentiality criteria mapped to existing controls today.
  • Type I attestationPoint-in-time assessment of control design, completing at full launch (Q1 2027).
  • Type II observationMinimum 6-month operating-effectiveness window observed through 2027. Report available Q3 2027.
  • Big Four or Top-25 auditorIndependent CPA firm engaged to support enterprise procurement requirements.
Roadmap · 2028
ISO/IEC 42001:2023

AI Management System

ISO/IEC 42001 is the world's first international management system standard for artificial intelligence. We are tracking it for adoption through 2028 — and our existing AI governance already maps to its core controls.

  • AI policy & objectivesDocumented AI principles, scope and acceptable use governing every feature.
  • AI impact assessmentPer-capability assessment of intended use, foreseeable misuse and affected stakeholders.
  • Lifecycle controlsDesign, development, deployment, monitoring and decommissioning controls in place.
  • Continuous improvementFeedback loops from human reviewers, audit findings and customer reporting.
Compliance pillars

The architecture underneath the certifications.

Standards are the surface. These are the controls that make them real — the same controls your security and risk teams will assess line by line. All live today, regardless of which certifications land when.

Identity & Access

Enterprise SSO and MFA across all access. Tenant-isolated identity boundaries. Role, department, AI-task and override permissions. Least-privilege by default.

Audit & Traceability

Immutable audit trail covering every AI call, data write and approval action. Every prompt, every output, every reviewer — logged, hashed and retained.

Data Residency

UK-only or EU-only configurable per tenant. No data egress beyond the chosen region. Foundation model inference routed through region-locked gateways.

Tenant Isolation

Logical isolation at every layer: identity, application, data and AI orchestration. One tenant's data, prompts and outputs are never reachable from another.

AI Governance

Documented AI threat model. Prompt injection defences. Material output flagging. Mandatory human approval for billable and safety-relevant outputs.

Incident Response

Defined RTO and RPO targets. 24/7 alerting on security events. Customer notification SLAs aligned with UK GDPR Article 33 statutory timelines.

Compliance trajectory

Sequenced through the pilot. Certified by full launch.

We sequence certifications against actual enterprise rollout, not vanity. The phases below run alongside our product milestones — foundation now, core certifications at full launch (Q1 2027), maturity through 2028. Founding Partners shape which certifications come first.

Now · Live today

Foundation

UK GDPR compliant, ICO-registered. Building Safety Act Golden Thread architecture operational. ISMS designed to ISO 27001:2022 across all 93 Annex A controls. RICS workflow alignment in place. UK AI Code of Practice mapped.

UK GDPR · Live BSA Architecture · Live RICS Alignment · Live UK AI Code · Aligned
Q3 2026 → Q1 2027 · Beta phase

Pilot validation

Cyber Essentials Plus assessment scheduled. ISO 27001 Stage 1 audit. Founding Partner DPAs signed and customer-publishable. Sub-processor register made public. AI threat model independently reviewed.

ISO 27001 · Stage 1 CE+ · Assessment DPAs · Founding Partners
Q1 2027 · Full launch

Core certifications complete

Cyber Essentials Plus certified. ISO 27001:2022 Stage 2 certification audit complete. SOC 2 Type I attestation issued. First independent penetration test report published under NDA. Enterprise procurement posture operational.

ISO 27001 · Certified CE+ · Certified SOC 2 · Type I Pen Test · Issued
Q3 2027 · Year 1 maturity

SOC 2 Type II observation complete

Minimum 6-month operating-effectiveness window observed. Type II report issued and made available under NDA. Annual independent assessment cycle established. Tier-1 enterprise procurement posture fully validated.

SOC 2 · Type II Annual Audit · Established
2028 · Standard-setting

ISO 42001 readiness

AI Management System formally assessed against the ISO 42001:2023 standard. Certification pursued as the body of accredited certifiers matures. Compliance posture leading, not following, the industry.

ISO 42001 · Assessed
Procurement questions

What enterprise teams actually ask.

Are you actually certified yet?

Straight answer: today we are compliant with statutory frameworks (UK GDPR, BSA Golden Thread requirements) and aligned with the major certifiable standards (ISO 27001, Cyber Essentials Plus, RICS, DSIT AI Code). Core certifications — ISO 27001:2022, Cyber Essentials Plus, SOC 2 Type I — complete by full launch in Q1 2027. SOC 2 Type II observation completes Q3 2027. We sequence certifications against actual enterprise rollout rather than promising ahead of it; for organisations that need a SOC 2 Type II report on file today, we are not yet that vendor. For organisations onboarding through 2026-2027, we will be ready when you need us.

Where is our data stored, and can it leave the UK?

UK-only and EU-only data residency are configurable per tenant. Once a residency setting is locked, data is not transferred outside the chosen region — including for AI inference, which is routed through a region-locked gateway. This is live and operational today, not on the roadmap.

Is our project data used to train AI models?

No. Tenant data is not used to train foundation models. We use AI inference only, with contractual restrictions in place with our model providers. Data retention for inference is bounded and customer-configurable. This is the operating model from day one.

Can we have your sub-processor list?

Yes. We maintain a customer-publishable sub-processor register and provide 30-day notice on material changes. The register is shared as part of our standard Trust & Compliance pack, available under NDA today.

Will you sign our DPA, and can you provide a DPIA?

Yes to both. We have a standard Data Processing Agreement aligned with UK GDPR Article 28 requirements. Our DPIA register is feature-level and per-tenant; a tailored DPIA can be issued for in-scope processing. Founding Partner DPAs are signed by the beta phase.

How do you support Building Safety Act compliance?

Our document layer is immutable, versioned and hash-verified by design — live today. Every change is auditable, indexed against the project model, and retrievable by Accountable Persons. Designed to meet the information requirements of the Building Safety Regulator for higher-risk buildings. This is one of the few areas of the compliance stack that is operational and audit-ready from day one, not on a certification roadmap.

What's your incident response and breach notification process?

We have a documented incident response plan with defined severity levels, RTO and RPO targets, and 24/7 alerting on security events. Customer notification SLAs are aligned with UK GDPR Article 33 statutory timelines (within 72 hours of becoming aware of a notifiable breach).

Do you penetration test? Can we see the report?

Yes. Independent penetration testing is performed on a defined cadence by a CREST-accredited tester, with the first full report issued at full launch (Q1 2027) and annually thereafter. Executive summaries shared under NDA; full reports shared with qualified enterprise customers under enhanced NDA.

How is AI use disclosed in deliverables?

Every AI-influenced deliverable carries a client AI disclosure surface and material outputs are marked for RICS-billable-service treatment. This is aligned with RICS guidance on professional use of AI and is operational today.

Trust & Compliance Pack

Want the full compliance pack?

Available under NDA to qualified enterprise prospects, partners and procurement teams. We share what your security and risk teams actually need — including the trajectory, with dated milestones — so you can decide whether our timeline matches yours.

Request the pack Talk to security

A note on language. Where we say "compliant" we mean we meet the relevant statutory obligations today. Where we say "aligned" or "designed-in" we mean controls have been designed and implemented to meet a standard's requirements but independent certification has not yet been issued. Where we say "certified" we will only do so once a UKAS-accredited or equivalent body has issued a certificate; targeted dates reference completion of the independent assessment. RICS regulates members and firms; ConstructEther is engineered to be fit for use by RICS-regulated firms and does not itself hold RICS regulation. ConstructEther Ltd is an independent UK limited company (Company No. 17074549), registered at 4 The Rise, Thornton Le Dale, Pickering, YO18 7TG.