Data Governance
Last updated: 1 April 2026 | Brightstate.ai, Scotland
Our Commitment to Responsible AI
Brightstate.ai is built specifically for public sector procurement contexts, where accountability, transparency, and human oversight are not optional — they are essential. This page explains how we govern the AI at the heart of our platform.
Human-in-the-Loop by Design
All AI-generated analysis produced by Brightstate.ai is treated as decision support, not decision-making. Our platform is designed so that:
- A qualified human reviews all AI outputs before any action is taken
- Users can override, reject, or escalate any AI recommendation at any time
- No automated decisions with legal or significant operational effect are made without human confirmation
This aligns with the Scottish AI Playbook's emphasis on meaningful human control and the UK Government's AI Principle of accountability.
What Goes Into the AI
We apply strict input controls:
- No personally identifiable information (PII) is submitted to AI processing layers
- Procurement documents are pseudonymised before analysis — organisation names, individual names, and identifiers are removed or substituted
- Users are advised not to paste raw personal data into analysis fields; input validation is in place to support this
Alignment With Standards and Frameworks
| Framework | Status |
|---|---|
| Scottish AI Playbook | Aligned |
| Scottish AI Register (model cards) | Prepared and ready for submission |
| UK AI 5 Principles (CDEI) | Aligned |
| Cyber Essentials | Certification in progress |
| ICO Registration | In progress |
Bias audits are planned as part of our model review cycle. We will publish results on this page as they become available.
Our Data Processors
We use a small number of trusted third-party processors to operate the platform:
- Cloudflare — network security, DDoS protection, and content delivery
- Google Workspace — internal communications and document management
All processors are contractually bound to handle data in accordance with UK GDPR. We do not use processors located outside the UK/EEA without appropriate safeguards in place.
Security Measures
- All data in transit is encrypted using TLS 1.2 or higher
- HSTS (HTTP Strict Transport Security) is enforced across the platform
- Access to backend systems is role-restricted and logged
- Security practices are reviewed regularly and will be independently assessed as part of our Cyber Essentials certification process
Questions and Transparency Requests
Public sector organisations with due diligence requirements are welcome to contact us directly.
We are committed to responding to transparency and information governance queries within 10 working days.