Trust

Compliance

Last updated 12 July 2026

This page collects what a due-diligence review usually asks for. The same content is available as a downloadable PDF pack for your compliance file, and a signed data processing agreement is available on request through the contact page.

How the methodology maps to COBS 9A

Revela is an evidence engine for the suitability assessment; the advising firm retains the regulatory responsibility for its advice.

Risk the client is willing to takeMeasured from revealed behaviour under simulated pressure (games and video scenarios), not self-report. The stated figure is captured separately and tested against behaviour; the gap is flagged.
Risk the client is able to takeCapacity for loss recorded in the adviser fact-find (income, wealth, horizon, liquidity) and reconciled against willingness. The recommendation is held at the lower of the two, never raised to chase a goal.
Knowledge and experienceCaptured in the fact-find and carried on the record alongside the behavioural result.
Record keepingEvery sitting stores its raw inputs, the engine version that scored it, the full output and a SHA-256 seal. Adviser overrides carry who, when and why. Any figure in any report is reconstructable.
Periodic reviewPer-firm review cadence, due flags on the client book, re-sit reassessments that measure drift between sittings on the record.

Data processing roles

The advising firm is the data controller for its clients; Old Shoreham Behavioural Technologies processes that data on the firm’s documented instructions. Clients never create accounts: single-use, hash-stored assessment links are the entire client-facing surface, and no camera or microphone access is ever requested.

Subprocessors

ProviderPurposeRegion
Supabase (AWS)Database, authentication, file storageeu-west-1, Ireland
NetlifyApplication hosting and content deliveryGlobal CDN; serverless compute
ResendTransactional email (invitations, statements)EU/US

Changes to this list are announced to firms in advance through the platform.

Retention schedule

Suitability records (inputs, results, reports)Retained for the firm’s regulatory retention period; erasable on the firm’s instruction subject to its retention duties.
Platform audit trailPermanent and append-only.
Sign-in IP addresses and device strings90 days, then stripped; the events themselves remain.
Assessment invitation tokensStored only as SHA-256 hashes; single use.

Security posture

Scoring runs entirely server-side; behavioural weights never reach a browser. Multi-tenant isolation is enforced with row-level security plus firm scoping on every query. Staff accounts support TOTP two-factor authentication, one-time passwords are rotated at first sign-in, and every administrative action lands on the audit trail with source IP. Full detail is on the security page.