Built for UK public sector. Not adapted for it.

Arto is powered by Invotra, part of the INV Group, a group with over 20 years of public sector digital experience and more than 120 public sector organisations in its portfolio. The governance architecture in Arto was not engineered by AI specialists who then learned about public sector constraints. It was built by people who spent two decades working inside those constraints.

20+ years in public sector digital

Invotra and the INV Group have worked in UK public sector digital since 2012. The governance architecture in Arto is grounded in that experience.

120+ public sector organisations

councils, NHS trusts and central government bodies have worked with the INV Group. Arto was built with the benefit of that institutional knowledge.

0 AI bolt-ons

Arto was not a general-purpose AI platform given a public sector skin. The governance layer, the KSB profiles, the workflow library and the compliance framework were all designed for public sector from the first day of development.

Why public sector experience changes what gets built

Most AI platforms that serve the public sector were built for the enterprise market and then adapted. The adaptation typically involves adding a compliance checklist, adjusting the terms of service to reference UK GDPR, and writing case study content that mentions councils. The underlying platform architecture: how data flows, how decisions are recorded, how accountability is structured, remains unchanged from the enterprise version.

The governance requirements of UK public sector are not a checklist that can be retrofitted. They are structural: human oversight must be enforced at decision points, not offered as a configuration option; audit trails must be immutable and complete, not generated on request; compliance checks must run on every workflow execution, not made available for periodic review. These are architectural decisions that are made at the design stage. They cannot be bolted on after the fact without rebuilding the core of the platform.

Invotra's twenty years of public sector digital experience means the design decisions in Arto were made by people who understood the governance requirements before AI was part of the picture. The KSB framework that defines what each AI agent can access and decide reflects the knowledge, skills and behaviour frameworks that public sector roles actually operate under. The compliance architecture reflects the standards that UK public sector IT teams actually audit against. These are not estimated from the outside. They are understood from the inside.

 

What 'built for' looks like versus 'adapted for'

Platform decision

Adapted for public sector

Built for public sector

Human oversight

Configurable option. Can be enabled or disabled by the organisation. Not enforced by the platform architecture.

Structurally enforced at defined decision points. Cannot be bypassed. Officer review is mandatory before any consequential action proceeds.

Audit trail

Available on request or for specific flagged events. May require manual export. Completeness depends on configuration.

Generated automatically on every workflow execution. Immutable, timestamped, searchable. Exists for every run whether or not anything went wrong.

Compliance checks

Periodic compliance review. A compliance dashboard showing current status. Framework applied when a review is triggered.

Arto Supported Flows are designed and built to align with key standards including ISO 27001, ISO 42001 and UK GDPR. An assurance case aligned to the 10 GDS AI Playbook principles is pre-populated and ready to deploy.

AI agent scope

General-purpose agent with broad permissions. Scope is managed by the organisation through policy settings after deployment.

KSB-mapped agent profiles. Each AI agent's access and decision scope is defined by the Knowledge, Skills and Behaviour framework for the specific public sector role it supports.

Workflow design

Generic workflow templates adapted by the organisation's IT team for the specific service area. Significant configuration required.

Pre-built Arto Supported Flows designed for specific public sector service areas: planning, children's services, revenues and benefits, contact centre, housing, adult social care.

Data residency

Hosted on shared enterprise cloud infrastructure. UK hosting may be available as an option at additional cost or on request.

Hosted on AWS London (eu-west-2) by default. UK residency is structural, not optional. Data never leaves UK infrastructure.

In short:  The governance architecture in Arto reflects how UK public sector actually works: its accountability structures, its audit requirements, its compliance obligations and its role-specific constraints. That architecture was designed by people who had spent twenty years building for those requirements, not reverse-engineered from them.

What it means that Arto is powered by Invotra

Invotra is the platform company within the INV Group. It is responsible for the technical infrastructure that Arto runs on: the integration architecture, the data processing pipeline, the security controls, the platform standards alignment and the ongoing engineering of the platform. When you deploy Arto, you are deploying on Invotra's platform.

 

For governance purposes, this has specific implications. Data processing agreements for Arto deployments are with Invotra as the data processor, acting under instruction from the deploying organisation as the data controller. The ISO 27001 certification that covers the platform's security management is Invotra's certification. The AWS London hosting commitment and the no-training commitment are Invotra's commitments, documented in the data processing agreement.

 

Invotra's history in public sector intranet and digital workplace platforms means the platform was not built from scratch for AI governance. The integration frameworks, the security architecture and the data handling infrastructure that Arto runs on have been developed and refined over 20+ years. AI governance was added as a functional layer on top of a platform that was already serving public sector organisations at scale.

Arto powered by Invotra logo

Built with UK public sector, not just for it

Arto's pre-built workflows were not designed by product teams speculating about what public sector processes look like. The planning validation workflow reflects how planning applications are actually received and processed. The MASH triage workflow reflects the multi-agency safeguarding hub processes that children's services teams actually operate. The EHC plan review workflow reflects the statutory timelines and professional requirements that SEND teams are legally required to meet.

That specificity is only possible through sustained engagement with the people who run those services. The knowledge embedded in the KSB profiles, the workflow steps, the governance gate configurations and the integration points comes from working with councils on real deployments, not from reading policy documents.

Redcar and Cleveland Council's deployment, which reduced contact centre demand by 28% within three months, is the clearest evidence of what this means in practice. That result came from a deployment that was configured for Redcar and Cleveland's specific contact centre context, not from a generic AI tool applied to a generic council process.

The Redcar and Cleveland case study

Explore Arto's pre-built workflow library

What governance and IT teams typically need to verify

Governance and IT teams reviewing Arto for a formal procurement or internal approval process typically need to verify the following:

All of these are available to organisations conducting a formal review. Contact the Arto team to request documentation or to arrange a governance-focused call that walks through the evidence base for your specific service area and approval context.

Request governance documentation or book a governance review

  • Data processing agreement:

    confirms the legal relationship between the deploying organisation (controller) and Invotra (processor), including UK GDPR Article 28 provisions

  • ISO 27001 certification:

    confirms Invotra's current certification status, scope and certification body

  • Security questionnaire response:

    Security questionnaire response: standard IT security assessment questions answered for the Arto platform

  • Data security documentation:

    AWS London hosting confirmation, encryption standards, access controls, incident response

  • Assurance case example:

    sample pre-populated assurance record showing the governance documentation for an Arto Supported Flow

  • Assurance Designer preview:

    walk-through of the pre-populated governance record for an Arto Supported Flow, showing what the DPO assessment package looks like before any organisational input

Where to go from here

How governance is built in

The full governance architecture: standards alignment, human oversight, audit trail and pre-populated assurance case, for the scrutinising governance/IT lead.

Governance

Data security and hosting

AWS London hosting, ISO 27001 certification, no-training commitment and encryption: the technical security facts.

Data security

Workflow library

Pre-built Arto Supported Flows for planning, children's services, revenues and benefits, contact centre, housing and adult social care.

Workflow library