Trust Centre.
How Kellys handles data, security, AI models, sub-processors and disclosure — the page a DPO can read end-to-end.
Last updated: 24 May 2026.
In 10 seconds
- UK-hosted — Supabase Postgres in eu-west-2 (London). User data does not leave the UK.
- ICO-registered — reference
ICO:00014202781as the data controller. - PII-stripped before AI grading — names, dates and identifiers are redacted server-side before any attempt text reaches Anthropic or OpenAI.
- Recordings auto-delete after 90 days — oral-session audio in Cloudflare R2 is removed by an enforced bucket lifecycle rule.
1. Who we are
Kellys is a UK legal-AI company, operated by its founder as a sole trader in England. The founder is the data controller for all personal data we process. Kellys is not regulated by the Solicitors Regulation Authority and is not a law firm.
ICO registration reference: ICO:00014202781 (registered 2026-05-24).
2. Data residency
All Kellys-controlled storage is in the United Kingdom. Specifically:
- Supabase (Postgres + Auth + Storage). Hosted on AWS
eu-west-2(London). All user records, grading attempts, audit-log events and oral recordings sit on UK soil. - Cloudflare Workers (application hosting). The Next.js app runs on Cloudflare’s global Workers platform. Workers execute on the nearest edge location; the application itself stores no PII outside Supabase.
3. Sub-processors
Kellys uses the following sub-processors. Each is bound by a written data-processing agreement (DPA) or an equivalent SCC / UK-IDTA where transfers leave the UK.
| Sub-processor | Purpose | Data accessed | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Database, auth, storage | All Kellys data | UK (London) | UK-resident processor; no transfer |
| Cloudflare Workers | Application hosting + asset CDN | Request metadata; no persisted PII | Global edge (UK-resident DPA) | Cloudflare UK-IDTA + SCCs |
| Anthropic (Claude) | Written + oral grading | PII-redacted attempt transcript; scenario brief; prompt version | US | UK-IDTA + SCCs (filing in progress). Zero-Data-Retention amendment requested with the vendor. |
| OpenAI (Whisper) | Speech-to-text for oral submissions | Candidate audio (recording blob, scoped to one turn or one submission) | US | UK-IDTA + SCCs (filing in progress) |
| ElevenLabs | Text-to-speech for simulated client voice | Synthesised text only; no candidate audio sent to ElevenLabs | US | UK-IDTA + SCCs (filing in progress) |
| Stripe | Payments, subscriptions, customer portal | Stripe customer ID, billing address, payment-method token (Stripe-hosted; we never see card numbers) | EU + US (Stripe routing) | UK-IDTA + SCCs (Stripe’s standard DPA) |
| PostHog | Product analytics (cookie-consent gated) | Pseudonymised event metadata | EU (Frankfurt) | EU resident; no UK transfer |
| Sentry | Error reporting | Stack traces, request metadata, no PII | EU (Frankfurt) | EU resident; no UK transfer |
Sub-processor changes are communicated by updating this page. Email hello@kellys.ai with the subject “sub-processor change subscription” to be notified of changes 30 days in advance.
4. AI grader model card
- Foundation model. Anthropic Claude Sonnet 4.5 (
claude-sonnet-4-5). Used for written grading, oral grading, judge-persona generation and judicial-question generation. - Speech-to-text. OpenAI Whisper.
- Text-to-speech. ElevenLabs (turn-based client persona voice).
- Biometric processing. Google MediaPipe Face Mesh runs entirely client-side in the candidate’s browser. Landmark coordinates never leave the browser; only aggregate metrics (eye-contact percent, blink rate, gaze deviation) are surfaced to the grader.
- Prompt versioning. Every grading call records the prompt version (e.g.
v0.2.0) and model id alongside the result so a re-grade can recreate the exact decision context. - Calibration target. 90% agreement with the founder on overall pass/fail; per-criterion grade within ±1 band on at least 5 of 6 criteria. Calibration round is blocking the launch of paid grading; results will be published on this page on completion.
- Soft-deduction model. Oral graders apply a proportional deduction model so candidates are not failed purely for missing structural scaffold. Written graders are strict on legal substance per the SRA’s published mark schemes. See AI Disclaimer §4.
- Article 22 right to human review. See AI Disclaimer §4 for the full statutory route. Emailed requests are responded to within 14 days.
5. PII discipline
- Candidate attempt text is PII-redacted before being sent to any AI provider. Names, addresses, dates of birth, phone numbers, email addresses, postcodes and case-style party names are pattern-stripped at the boundary.
- The events audit log records only non-identifying metadata (station, prompt version, model, token counts, score, latency, cost). Never the attempt content.
- Recordings of oral submissions are stored encrypted at rest and accessed only via signed URLs with a 7-day TTL.
- The structured logger (apps/web/lib/log.ts and packages/ai/src/lib/logger.ts) emits JSON lines containing only structured fields; raw attempt text and audio samples are never written to logs.
6. Retention
- Account data: retained while the account is active. Deleted on Article 17 erasure request (route:
/api/account/erase) within 30 days. - Grading attempts: retained for 12 months after creation so candidates can revisit their own progress; hard-deleted at month 13.
- Oral recordings (biometric): 90 days from session end, then hard-deleted. Lifecycle policy enforced at the storage backend. Full DPIA is being finalised alongside launch.
- Audit log events: append-only; retained for 6 years to support security investigations and tax recordkeeping. PII-free by design.
- Payment data: Stripe retains payment data per its own retention schedule (currently 7 years for accounting compliance).
7. Security posture
- Row-Level Security enabled on every Supabase table. Policies are versioned in the repo at
packages/db/migrations/and applied via SQL, not via the Supabase Studio UI, so they are reviewable. - Stripe webhooks are signed (HMAC-SHA256) and event-ID-deduplicated server-side; replay-protected.
- All routes that touch user data are gated by middleware that verifies a valid Supabase session before reaching the route handler. Anonymous requests redirect to
/login. - Secrets are managed as Cloudflare Workers secrets and rotated on a documented schedule (Anthropic, OpenAI, ElevenLabs, Stripe webhook secret, Supabase service-role, R2 access keys).
- SOC 2 / ISO 27001: not yet certified. Path: Vanta or Drata subscription, formal access review (small team), vendor questionnaires complete, UK CREST-certified penetration test before the first firm contract.
8. Accessibility
We aim for WCAG 2.1 Level AA across the public surface. We test with keyboard-only navigation, screen readers (VoiceOver, NVDA) andprefers-reduced-motion honoured site-wide. Known gaps and a planned remediation schedule live in our accessibility statement (in preparation).
9. Breach posture
In the event of a personal-data breach under the UK GDPR, Kellys will notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach where required under Article 33, and will notify affected users without undue delay under Article 34 where the breach is likely to result in a high risk to their rights and freedoms.
10. Responsible disclosure
If you believe you have found a security issue affecting Kellys, please email hello@kellys.ai with the subject “Security disclosure”. We will acknowledge receipt within 3 working days and aim to triage within 7 working days. We do not currently run a paid bug-bounty programme but welcome responsible disclosure.
11. Contact
All trust + privacy correspondence: hello@kellys.ai. We are not a large enough organisation to require a Data Protection Officer under Article 37 (our processing is not at the scale or frequency that triggers a mandatory DPO appointment), but all DPO-style enquiries are handled by the founder personally.