[lwptoc]


UK GDPR & Technical Governance

1. Corporate Identity

AELION Digital Ltd
UK Registration Number: 16977334
Registered Office: 128 City Road, London, EC1V 2NX
UK Governance Line: +44 20 3769 4457

AELION Digital Ltd is registered in England and Wales. The registered office on record is 128 City Road, London, United Kingdom, EC1V 2NX. (Find and Update Company Information)

For UK data protection matters, the relevant supervisory authority is the Information Commissioner’s Office (ICO). The UK governance position is structured against the UK GDPR and the Data Protection Act 2018. (ICO)

2. Technical Integrity

Security is treated as an Article 32 discipline. The standard is not decorative. It is the implementation of appropriate technical and organisational measures proportionate to risk, system exposure, and processing profile. (ICO)

The control framework is structured against ISO/IEC 27001:2022 for information security management and ISO/IEC 27701 for privacy information management. These standards are used here as governance references for control design, audit discipline, and accountability.

Data in transit is protected by TLS 1.3.
Data at rest is protected by AES-256.

Encryption is treated as a primary safeguard for confidentiality and integrity, not as an optional enhancement. The ICO’s current guidance is explicit that encryption forms part of compliance with the security principle where appropriate to the risk. (ICO)

3. Access Governance

Access is controlled on a least-privilege basis.

Multi-Factor Authentication (MFA) is enforced for administrative access, control-plane access, cloud consoles, identity providers, and operational tooling connected to partner environments.

Privileged Access Management (PAM) is applied to elevated credentials, production access, infrastructure changes, secrets access, and sensitive support intervention.

Standing privileged access is avoided where temporary elevation, approval controls, session logging, or role-scoped access can be enforced instead.

The ICO’s security guidance is clear that access control is part of the technical and organisational measures required to protect confidentiality and integrity. Weak access design is not a documentation issue. It is a control failure. (ICO)

4. Processing Security

The processing environment is governed through layered controls:

  • identity-bound access
  • encrypted transmission
  • encrypted storage
  • environment segregation
  • logging and administrative traceability
  • credential discipline
  • backup and recovery controls
  • change control for production-impacting actions

The UK GDPR security principle requires ongoing integrity, availability, and resilience of processing systems and services. That obligation extends to processors as well as controllers. (ICO)

5. Cross-Border Bridge

The London-Dubai-Casablanca operating model is governed as a controlled international transfer architecture.

Where Personal Data originating under the UK GDPR is accessed, hosted, reviewed, supported, or otherwise made available outside the United Kingdom, transfer controls are documented before the transfer path is activated.

For restricted transfers from the UK, the legal transfer mechanism is not left to assumption. The valid UK safeguard is the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. The ICO is explicit on this point: the EU SCCs are not valid on their own for restricted transfers under the UK GDPR. (ICO)

For that reason, the London-Dubai-Casablanca bridge is governed through:

  • contractual transfer controls
  • jurisdiction-specific Transfer Impact Assessments (TIAs)
  • importer due diligence
  • access limitation by role and function
  • documented security controls at destination
  • onward transfer review where subprocessors or cloud dependencies are involved

The TIA function is used to test whether the legal and practical environment of the destination country permits the transfer mechanism to operate as intended. If the answer is inadequate, supplementary measures or architectural restriction follow. (ICO)

6. Governance Method

This page is not a retail privacy statement.

It defines the technical governance position used for enterprise delivery, partner deployments, controlled support access, and cross-border operational intelligence.

The governing test is technical integrity:

  • whether the system is access-governed
  • whether transfer routes are legally supportable
  • whether encryption is correctly applied
  • whether auditability exists
  • whether privileged access is controlled
  • whether the deployment can withstand procurement review

That is the standard applied.

7. Physical Nexus

AELION Digital Ltd
128 City Road
London
EC1V 2NX
United Kingdom

Verified UK Governance Line: +44 20 3769 4457

The registered office address is reflected on the UK public company record for AELION Digital Ltd, company number 16977334. (Find and Update Company Information)