Your resident data stays in the UK

Data processed through Arto is hosted on AWS London infrastructure. It never leaves the UK, is never used to train AI models, and is protected by ISO 27001 certified security management. These are not policy commitments. They are technical facts about how the platform is built and operated.

Three data security commitments Arto makes by design

Commitment 1 - Data residency. Your data never leaves the UK.

Arto is hosted on AWS London (eu-west-2) infrastructure. Every data processing operation (ingestion, computation, storage, output) takes place on UK-based servers. Data does not transit through non-UK infrastructure at any stage of processing.

Commitment 2 - No model training. Your data is never used to train AI models.

Data processed through Arto workflows is used only for the purpose for which it was submitted. It is not retained for model training, benchmarking, or improvement of any AI system, whether Arto's own or any third-party provider's. The AI models used in Arto workflows are not trained on council data.

Commitment 3 - Certified security management. Arto is ISO 27001 certified.

ISO 27001 is the international standard for information security management. Arto's certification means that security controls, access management, incident response and data handling are independently audited and certified to meet this standard, not self-assessed.

What UK data residency means in practice

AWS London (region code eu-west-2) is a set of data centres physically located in the United Kingdom, operated by Amazon Web Services. When Arto states that data never leaves the UK, this means that the servers on which data is processed and stored are in AWS's London region, within UK territory, subject to UK law and the jurisdiction of UK regulators.

Physical UK hosting matters for several reasons. It means UK GDPR's international transfer restrictions do not apply, as data never crosses a border that would trigger transfer safeguards. It means the ICO has full jurisdiction over any data processed through the platform. It means there is no exposure to foreign data access laws — such as the US Cloud Act — that can, in some architectures, give foreign governments or law enforcement access to data stored on overseas servers even when that data belongs to UK organisations.

The same AWS London infrastructure is used by a large number of UK public sector organisations, including NHS trusts, central government departments and local authorities. This is not an incidental choice — it reflects the infrastructure standard that UK public sector security assessments are built around.

In short:  UK data residency means the servers are in the UK, subject to UK law, within ICO jurisdiction. Data does not transit through non-UK infrastructure. UK GDPR transfer restrictions do not apply.

What ISO 27001 certification covers

ISO 27001 certification is issued by an accredited certification body following an independent audit of an organisation's information security management system. It is not self-certification. The audit covers 114 security controls across 14 domains, and recertification requires an annual surveillance audit and a full recertification audit every three years.

For an IT security team reviewing an AI platform, ISO 27001 certification means that security controls across access management, incident response, business continuity and data handling have been independently assessed against a recognised international standard. The certification does not eliminate risk, but it provides independent evidence that the organisation's approach to managing that risk meets an established benchmark.

Domain

What ISO 27001 requires

Why it matters for council data

Access control

Formal policies and technical controls governing who can access data, systems and facilities. Role-based access, authentication requirements and privilege management.

Only authorised Arto personnel can access customer data, and only to the extent necessary for their role. Council data cannot be accessed by unauthorised parties.

Cryptography

Encryption requirements for data in transit and at rest. Key management policies and procedures.

Council data processed through Arto is encrypted in transit (TLS) and at rest. Encryption keys are managed to the standard required by ISO 27001.

Physical security

Controls over physical access to facilities housing data processing infrastructure.

AWS London data centres operate under physical security controls that meet ISO 27001 requirements, including access restrictions, surveillance and environmental controls.

Incident management

Procedures for detecting, reporting and responding to information security incidents, including breach notification timelines.

A defined incident response process exists. In the event of a security incident affecting council data, there are documented procedures for notification and response.

Supplier management

Assessment and monitoring of third-party suppliers who access or process data on behalf of the organisation.

Third-party components used in the Arto platform are subject to supplier security assessment requirements under ISO 27001.

Business continuity

Requirements for maintaining service availability and recovering from disruptions to information systems.

Business continuity controls are in place to maintain platform availability and recover data in the event of a system disruption.

ISO 27001 documentation is available to IT security teams during the formal security assessment process. If you are conducting a due diligence review of Arto and require the ISO 27001 certificate or ISMS documentation, contact the Arto team.

What happens to resident data after a workflow runs

When a workflow runs in Arto, resident data is processed to complete the specific task: a validation check, a triage analysis, a calculation. Once the workflow execution is complete, the data is not retained by Arto beyond what is required for the governance audit record. It is not stored in a pool of training data. It is not used to improve Arto's AI models. It is not shared with any third party for model improvement purposes.

The AI models that power Arto Supported Flows are not trained on council data. The models used in the platform are pre-trained on general or domain-specific datasets that do not include resident personal data. Council data flows through these models at execution time, informing the output of a specific workflow run, but it does not modify the model itself. This is the technical distinction between inference (using a model to process data) and training (using data to change a model). Arto uses models for inference only.

This position means that deploying Arto does not contribute to a shared training pool that could expose council data to third parties or cause it to surface in outputs generated for other customers. Each council's data is processed in isolation, for that council's purposes only, and is not used to benefit any other organisation's AI capability.

In short:  Resident data processed through Arto is used for the specific workflow task only. It is not retained for model training, not shared with third parties for AI improvement, and does not affect any model's behaviour for other customers.

Encryption and access control

All data transmitted between the council's systems and Arto is encrypted in transit using TLS 1.2 or above. Data is not transmitted in plain text at any point in the processing pipeline.

Data stored within the Arto platform is encrypted at rest. Encryption keys are managed in accordance with ISO 27001 key management requirements.

Access to council data within the Arto platform is restricted to authorised personnel only, managed through role-based access controls. Arto personnel do not access customer data except as required to provide contracted support, and only with appropriate authorisation. Access events are logged.

The Arto flow library audit trail screen is shown with a full product menu on the left of the screen. The audit trail screen shows all audit trails with the options to filter by passed, failed or rejected audit trails. Each audit trail is listed with time stamp, run ID, input, output, status, duration and who it was reviewed by.

Shared security responsibility: what Arto covers and what remains with the organisation

Arto is responsible for the platform itself, the infrastructure, application, encryption, access controls, incident response and ISO 27001-certified security management. Your organisation retains responsibility for user access configuration, network connections between Arto and your back-office systems, and the data scope of workflows you deploy. This is how cloud security works. Understanding where each party's responsibility lies is the basis for an accurate risk assessment.

How UK GDPR applies to AI data processing

The Arto flow library with a full product menu on the left of the screen. The flow library shows all service areas, with 16 flows detailed, and 12 shown. Each flow is listed in a box that includes flow title, service area, related government standards, status, number of runs and governance score.

Where to go from here

UK GDPR and AI data processing

How UK GDPR's legal obligations apply to AI workflows: lawful basis, DPIAs and the data residency position.

UK GDPR and AI

Getting DPO sign-off

How to use Arto's security documentation and governance certificate as part of the DPO approval process.

DPO sign-off

Request security documentation

ISO 27001 certificate, data processing agreement and security questionnaire responses for IT security teams. 

Contact us