UK and EU GDPR
The UK GDPR and the EU GDPR govern how personal data is processed, stored, transferred and audited, and they place the heaviest burden on organisations that hand personal data to a third party. Mickai removes the third party entirely: every record is processed by the sovereign brains on hardware you own, fully offline, so your organisation stays the sole controller and there is no processor in the chain. Because the data physically cannot leave the building, the obligations that a shared cloud strains to meet, data residency, minimisation, the right to erasure and a complete record of processing, are enforced by construction and sealed to a post-quantum Open Audit Record.
The GDPR's sharpest exposures all follow from moving personal data off your own infrastructure. The moment records pass to a cloud AI service you take on a processor relationship under Article 28, cross-border transfer obligations under Chapter V, and the risk that the same model learns from your data on behalf of another customer. Data-minimisation and storage-limitation duties under Article 5 are hard to evidence when copies sit in a vendor tenancy you cannot inspect, and the right to erasure under Article 17 is only as good as the vendor's word that every replica was deleted. Article 30 requires a complete record of processing activities, and Article 33 gives you 72 hours to report a breach you may not even detect inside someone else's environment. Mickai keeps every record, every model and every audit entry on hardware you own, so your organisation remains the sole controller, there is no international transfer to legitimise, and erasure is a local act you can prove. Each processing decision is sealed to an immutable Open Audit Record that satisfies the Article 30 duty by default and gives a supervisory authority a tamper-evident trail on demand.
The 7 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.
Sole Controller, No Third-Party Processor
Because the sovereign brains run inside your own perimeter, no personal data is ever handed to an external AI service, so there is no processor to contract with, audit or trust under Article 28. Your organisation remains the sole controller of every record, and there is no shared model learning from your data on behalf of another customer. This collapses the largest single source of GDPR exposure that cloud AI introduces. The arrangement is enforced by architecture rather than by a data-processing agreement.
Data Residency and No Cross-Border Transfer
Personal data is processed and stored entirely on hardware you own in the location you choose, so there is no international transfer to legitimise under Chapter V and no adequacy or standard-contractual-clause analysis to maintain. Records never traverse a jurisdiction or a vendor region, which removes the transfer-impact-assessment burden that shared cloud platforms create. Residency becomes a physical fact rather than a contractual promise. The location of every record is provable and sealed to the audit trail.
Data Minimisation and Storage Limitation
Mickai processes only the fields required for each task and enforces retention windows against your own policy, all on owned hardware, so there are no shadow copies sitting in a cloud tenancy you cannot inspect. This supports the Article 5 minimisation and storage-limitation principles by keeping the full data lifecycle inside your control. Retention rules are expressed as signed policy and applied before any processing occurs. Nothing is retained beyond the period your governance sets.
Right to Erasure and Rectification
Because all personal data lives on hardware you own, an erasure or rectification request under Articles 16 and 17 is executed locally and confirmed against your own systems, with no reliance on a vendor deleting every hidden replica. The action itself is written to the Open Audit Record, so you hold cryptographic evidence that the record was removed or corrected. This turns the right to erasure from a trust exercise into a demonstrable fact. Data subjects receive a defensible response backed by a sealed entry.
Record of Processing Activities
Every processing action the brains take is sealed to a post-quantum Open Audit Record with the inputs, the purpose and the actor that authorised it, which meets the Article 30 requirement for a complete record of processing activities by default. The trail is tamper-evident and reproducible, so a supervisory authority can inspect exactly what was processed, when and on whose authority. There is no separate register to maintain by hand. The record is generated as a by-product of the work itself.
Automated Decision Transparency (Article 22)
Where the brains make or inform a decision that produces a legal or similarly significant effect, Mickai records the features, the reasoning and the model version that produced it, so you can meet the Article 22 duty to explain automated decisioning and provide meaningful information about the logic involved. The explanation is sealed to the audit record and reproducible for a data subject or a regulator. Human-in-the-loop gates can be set on any decision class your governance requires. The basis for every automated outcome is evidenced rather than opaque.
Breach Surface Reduction and 72-Hour Reporting
By removing the network egress path and the multi-tenant processor, Mickai eliminates the classes of breach that arise from data sitting in a shared cloud, which materially reduces the surface a supervisory authority assesses under Article 33. Any incident is contained within your own perimeter, and the sealed audit trail evidences exactly what was accessed and when to support the 72-hour reporting duty. There is no vendor environment you cannot see into. Containment and evidence are both local and provable.
The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.
The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.
You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.
The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.
Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.
After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.
There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.
You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.
How does an on-premise AI operating system satisfy the GDPR by construction?
Because Mickai runs entirely on hardware your organisation owns, fully offline, personal data is never handed to a third party, so your organisation remains the sole controller with no processor in the chain. There is no cross-border transfer to legitimise, minimisation and retention are enforced locally, and every processing action is sealed to a post-quantum Open Audit Record. The obligations that a shared cloud strains to meet are enforced by architecture rather than by a vendor contract.
Does Mickai act as a data processor under Article 28?
No. Mickai is a Sovereign Intelligence Operating System that runs on your own hardware, so there is no external service processing your data and therefore no Article 28 processor relationship to contract, audit or trust. Your organisation stays the sole controller of every record. This removes the single largest source of GDPR exposure that cloud AI introduces.
How is the right to erasure handled when there is no cloud copy?
Because all personal data lives on hardware you own, an Article 17 erasure request is executed locally and confirmed against your own systems, with no reliance on a vendor deleting hidden replicas. The erasure action itself is written to the Open Audit Record, so you hold cryptographic evidence that the record was removed. Erasure becomes a provable local act rather than a trust exercise.
How does Mickai meet the Article 30 record-of-processing duty?
Every processing action is sealed to a post-quantum Open Audit Record with its inputs, purpose and authorising actor, which satisfies the Article 30 requirement for a complete record of processing activities as a by-product of the work. The trail is tamper-evident and reproducible, so a supervisory authority can inspect exactly what was processed and on whose authority. There is no separate register to maintain by hand.
What about international data transfer rules under Chapter V?
There is nothing to transfer. Personal data is processed and stored on hardware you own in the location you choose, so Chapter V never engages and there is no adequacy assessment or standard contractual clause to maintain. Residency is a physical fact rather than a contractual promise, and the location of every record is sealed to the audit trail.
Is Mickai a competitor to the public cloud for GDPR workloads?
No. The public cloud remains valuable for non-regulated work. Mickai is the answer specifically for the regulated-data boundary, where personal data cannot safely sit in a shared, multi-tenant environment. The distinction is architectural, not an attack on any provider, and it is built on 104 filed UK patent applications covering approximately 2,340 claims, owned by Mickai LTD.
Bring UK and EU GDPR in-house.
Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.