Security & Compliance
EchoDepth is built for enterprise deployment under UK GDPR, ICO and sector-specific regulatory frameworks.
UK GDPR Compliant
All EchoDepth deployments operate under UK GDPR frameworks. Data processing agreements available for all enterprise deployments.
ICO Registered
Cavefish is registered with the Information Commissioner's Office. ICO registration: ZB915633.
Consent-First Architecture
All EchoDepth deployments require explicit informed consent from data subjects. Consent frameworks are deployment-specific and documented.
Data Minimisation
EchoDepth processes only the data required for the specified analytical purpose. Raw biometric data is not retained beyond the processing window.
Audit Trail
All EchoDepth analysis sessions produce a full, auditable processing log for governance and compliance reporting.
Sector-Specific Governance
EchoDepth deployments in regulated sectors (defence, financial services, HR) include sector-specific governance documentation.
Compliance Documentation
Full compliance documentation, DPIAs and consent frameworks are available for all enterprise deployments. Contact us to request documentation for your specific context.
Request Compliance Documentation →Common questions
Is EchoDepth GDPR compliant?
Yes. Cavefish operates under UK GDPR and is ICO registered (ZB915633). All EchoDepth deployments require explicit informed consent from data subjects. A Data Processing Agreement is provided for every enterprise deployment.
Where is EchoDepth data processed and stored?
EchoDepth processes data within UK/EU infrastructure. Raw biometric data is not retained beyond the analysis processing window. Organisations can request on-premise deployment for regulated environments where data cannot leave their infrastructure.
What compliance documentation does Cavefish provide?
Cavefish provides a full compliance pack for enterprise deployments including: Data Processing Agreement (DPA), Data Protection Impact Assessment (DPIA), consent framework templates, sector-specific governance documentation, and ICO registration evidence (ZB915633).
Common questions
Is EchoDepth GDPR compliant?
Yes. Cavefish operates under UK GDPR and is ICO registered (ZB915633). All EchoDepth deployments require explicit informed consent from data subjects. A Data Processing Agreement is provided for every enterprise deployment.
What compliance documentation does Cavefish provide?
Cavefish provides a full compliance pack including: Data Processing Agreement (DPA), Data Protection Impact Assessment (DPIA), consent framework templates, sector-specific governance documentation, and ICO registration evidence (ZB915633).
Where is EchoDepth data processed?
EchoDepth processes data within UK/EU infrastructure. Raw biometric data is not retained beyond the analysis processing window. On-premise deployment is available for regulated environments.
EchoDepth Security Architecture
EchoDepth is designed for regulated environments. The security architecture reflects the requirements of financial services, defence and healthcare deployments — not the minimum viable compliance position.
UK data centres by default. EU residency available on request. On-premise Docker deployment for air-gap and SCIF environments.
Facial Action Unit vectors and vocal processing data are discarded after the analysis window closes. Zero raw biometric retention. Derived outputs only.
TLS 1.3 in transit. AES-256 at rest. Enterprise deployments can include dedicated tenant isolation.
API key for server-to-server. OAuth 2.0 for user-facing integrations. All API calls logged with full audit trail.
Role-based access for enterprise accounts. Outputs are accessible only to parties specified in the Data Processing Agreement.
Full on-premise deployment via Docker for zero-egress environments. SCIF-compatible configurations available on request.