The General Data Protection Regulation sets the global benchmark for privacy law. SCOVR satisfies every obligation that touches communications infrastructure — structurally, not through policy alone. The same architecture covers both the EU GDPR and the UK GDPR simultaneously.
Following the departure of the United Kingdom from the European Union, the GDPR was retained as a separate instrument of UK domestic law, supplemented by the Data Protection Act 2018. The two frameworks are substantially identical — meaning a platform that satisfies one satisfies both.
The General Data Protection Regulation applies to any organisation — anywhere in the world — that processes the personal data of individuals located in the EU. It applies from 25 May 2018 and is directly applicable in all EU member states without national implementing legislation.
Supervisory authority: Each member state has its own national data protection authority. The lead authority is determined by the organisation's main EU establishment.
Transfers: Transfers outside the EU require an adequacy decision, standard contractual clauses, binding corporate rules, or another approved mechanism under Chapter 5.
Fines: Up to €10M / 2% (lower tier) or €20M / 4% (upper tier) of total worldwide annual turnover — whichever is higher.
EU Data Act: From 12 September 2025, Regulation (EU) 2023/2854 adds cloud-switching rights and prohibits vendor lock-in in data processing contracts.
After Brexit, the EU GDPR was retained in UK law and amended to refer to UK institutions. The Data Protection Act 2018 supplements it with UK-specific provisions. The result is a framework that mirrors the EU GDPR in substance while replacing all references to EU bodies with UK equivalents.
Supervisory authority: The Information Commissioner's Office (ICO) is the sole supervisory authority for the UK. The EDPB consistency mechanism does not apply.
Transfers: Transfers from the UK require adequacy regulations, an International Data Transfer Agreement (IDTA), or an Addendum to EU Standard Contractual Clauses.
Fines: Up to £8.7M / 2% (lower tier) or £17.5M / 4% (upper tier) of total worldwide annual turnover — applied by the ICO under the Data Protection Act 2018.
Children's data: The age of digital consent in the UK is 13 (vs. 16 in the EU by default). Organisations processing children's data must satisfy the stricter UK children's code.
Communications infrastructure — messaging, video, file sharing, and data hosting — touches more GDPR obligations than almost any other category of enterprise software. Each must be satisfied by the platform, not just the policy around it.
Personal data must be processed with "appropriate security…including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage." Encryption is the primary technical measure that satisfies this requirement — and it must be applied to every channel carrying personal data: messages, calls, and files.
Appropriate technical measures must be implemented both at the time of system design and at the time of processing. The default settings must ensure that only personal data necessary for each purpose is processed. A platform where encryption must be switched on is not compliant by default — privacy must be the factory setting.
Every cloud provider, SaaS platform, or infrastructure provider that processes personal data on your behalf must be bound by a written contract covering: scope and purpose of processing, security requirements, sub-processor authorisation, data subject rights support, audit rights, and post-contract data handling. Verbal or implied arrangements are insufficient.
Controllers and processors must implement measures "appropriate to the risk," which the Regulation explicitly identifies as including "the encryption…of personal data" and the ability to ensure "ongoing confidentiality, integrity, availability and resilience" of systems. Certification under Article 42 may be used as evidence of compliance.
Qualifying breaches must be notified to the supervisory authority within 72 hours of discovery. High-risk breaches must also be communicated to affected individuals "without undue delay." The architecture of the platform determines whether a breach can occur at scale — and how quickly it can be detected and contained.
Personal data may only be transferred to a third country if that country provides an adequate level of protection, or if appropriate safeguards are in place (SCCs, BCRs, IDTAs in the UK context). Any cloud service routed through non-adequate jurisdictions — including those subject to foreign surveillance legislation — requires specific legal analysis and safeguards.
Every key obligation relating to communications infrastructure is addressed at the platform level — before any policy document is drafted.
The UK GDPR applies to any organisation established in the UK, or any organisation outside the UK that processes personal data of individuals in the UK in connection with offering goods or services to them or monitoring their behaviour. The framework is enforced exclusively by the ICO.
The most significant practical difference from the EU GDPR concerns international data transfers. Organisations transferring personal data out of the UK may no longer rely on EU Standard Contractual Clauses alone — they must use the International Data Transfer Agreement (IDTA) or an Addendum to the EU SCCs, both published by the ICO.
The Data Protection Act 2018 supplements the UK GDPR in several important areas: it expands lawful bases for processing for public interest and democratic purposes, sets the age of digital consent at 13, and provides specific conditions for processing special categories of data — including through the schedules that replace the more general approach in Article 9 of the EU GDPR.
All data can be hosted within the United Kingdom on SCOVR's sovereign infrastructure. No personal data of UK individuals is transferred to non-adequate third countries — satisfying the IDTA and adequacy requirements for outbound transfers.
The processor contract provided with every UK deployment is aligned with the International Data Transfer Agreement requirements — covering the same obligations as an EU SCCs Addendum for UK-to-third-country transfer scenarios.
Pre-formatted breach notification documentation is aligned with the ICO's published reporting template and the 72-hour notification window. Incident response playbooks are included with every deployment.
For organisations operating in education, consumer, or youth-facing sectors, additional controls at the access and room level enforce the data minimisation and processing restrictions required under the UK children's code and DPA 2018 Section 9.
The platform holds Cyber Essentials Plus accreditation — the UK government's certification scheme for technical security controls — in addition to ISO 27001 certification, providing dual assurance recognised by the ICO and public sector procurement.
Messaging, video conferencing, file sharing, and data hosting each carry distinct GDPR obligations. The architecture addresses all four simultaneously.
Every message is encrypted end-to-end before leaving the sender's device. No server — including SCOVR's own infrastructure — can read the content. Delivery receipts, read receipts, and thread metadata are minimised. Art. 5(1)(f) and Art. 32 are satisfied by the protocol, not by configuration.
Applies: Art. 5, 25, 28, 32
Voice and video calls are encrypted with the same E2EE architecture as text messages. No call content is recorded or retained on third-party servers without explicit administrative configuration. No recording is shared with external parties or used for AI model training. Screen sharing operates within the same encrypted session.
Applies: Art. 5, 25, 32, 33
Files shared within SCOVR are encrypted in transit and at rest. Files are stored only on your own sovereign infrastructure — not on shared cloud storage services subject to foreign surveillance legislation. Access controls at the room level ensure only authorised recipients can retrieve files. The open standard means file formats are never proprietary.
Applies: Art. 5, 28, 32, 44
All data — messages, files, user profiles, call records, and audit logs — is hosted on servers physically located in the jurisdiction you designate. No data passes through multi-tenant infrastructure shared with other organisations. No third-country transfer occurs unless explicitly and specifically configured with appropriate safeguards.
Applies: Art. 28, 30, 44–46
Most enterprise communications platforms are built on proprietary protocols — closed, opaque, and controlled entirely by a single vendor. From a GDPR perspective, this creates structural problems that no Data Processing Agreement can fully resolve: you cannot independently verify what data is being processed, you cannot audit the security implementation, and you cannot guarantee that a future product decision by the vendor will not create a compliance breach.
The open standard protocol on which SCOVR is built was designed by a non-profit foundation specifically to solve this problem. The protocol specification is published, the cryptographic implementation is open source, and any technically competent authority — including a supervisory authority — can audit every processing activity without vendor cooperation.
Decentralised federation means organisations can communicate with external parties — including cross-border partners — without creating an international data transfer in the legal sense. Messages between two federated servers in the same jurisdiction never leave that jurisdiction. This is architecturally different from routing messages through a US-headquartered cloud service, where even intra-EU traffic may be subject to foreign surveillance law.
The EU Data Act prohibits contractual clauses that restrict cloud switching and requires providers to make data portable in structured, machine-readable formats. Because SCOVR is built on an open standard, migration is a native capability: organisations can switch providers, self-host, or federate with another deployment at any time — without permission, without penalty, and without data loss. No switching charges apply. The open format requirement of Art. 24 is satisfied by the protocol itself.
The entire cryptographic stack — including the Rust-based E2EE implementation — is open source and independently auditable. Supervisory authorities, DPOs, and third-party security assessors can verify every claim without vendor cooperation. No black-box components that resist audit.
Two organisations in the same jurisdiction can communicate via federated servers that never transfer data internationally. A law firm in London communicating with a client using a separate sovereign deployment creates no international transfer. The interoperability is structural, not contractual.
Data can be exported in open formats at any time. The organisation retains full ownership of its data — the processor contract obligation to return or delete data on termination is a technical capability of the platform, not just a contractual obligation.
The platform performs no automated profiling of users, no sentiment analysis on messages, and no engagement scoring. Data collection is limited to what is technically necessary for routing and delivery. There is no incentive to collect more — the business model does not depend on data monetisation.
Certification to ISO/IEC 27001:2022 serves as evidence of compliance with the security requirements of Art. 32 under the certification mechanism of Art. 42. Cyber Essentials Plus (UK) provides additional assurance recognised by the ICO and public sector procurement bodies.
The current generation of the platform, built on Sliding Sync technology, is engineered for speed without compromising security. Performance at scale means encryption does not come at the cost of usability — a critical factor in ensuring that privacy by design does not reduce adoption.
Documentation, contracts, and architectural features are bundled with every deployment — no additional procurement, no external consultants needed for the standard compliance requirements.
End-to-end encryption is enabled on every channel by default — messages, voice, video, and files. No administrator action is required to reach the highest protection level. The Art. 25(2) data minimisation default is satisfied by the protocol: only data necessary for routing and delivery is collected.
A written Data Processing Agreement satisfying all requirements of Art. 28(3) is provided with every deployment — covering processing scope, security obligations, the full sub-processor list, audit rights, data subject rights assistance, and post-contract data deletion or return.
Platform security is certified to ISO/IEC 27001:2022 (EU and UK recognition) and Cyber Essentials Plus (UK government scheme). These certifications serve as evidence of Art. 32 compliance under the Art. 42 certification mechanism — reducing the burden of due diligence for your legal and procurement teams.
Pre-built incident response documentation, breach notification templates aligned with both supervisory authority reporting formats (EDPB / ICO), and built-in anomaly monitoring. The isolated architecture significantly reduces the probability of a large-scale breach, and the self-hosted deployment gives you direct control over the investigation.
Migration is a native capability of the open standard architecture. Data exports in structured, machine-readable formats are available at any time. No switching charges apply. Organisations can move to a different provider, self-host, or federate — without permission, penalty, or data loss — satisfying the EU Data Act cloud-switching obligations from day one.
The protocol specification is published and maintained by an independent non-profit foundation. The cryptographic implementation is open source. Any technically competent authority — including national data protection authorities — can audit all processing activities without vendor cooperation. There are no proprietary black-box components.
Specific answers to the GDPR and UK GDPR questions DPOs, legal teams, and IT security leads ask most often.
Book a private briefing with our compliance team. We will review your current communications infrastructure against the specific requirements of the EU GDPR and UK GDPR and design a deployment that satisfies them structurally — not through policy alone.