Compliance
This page collects what a due-diligence review usually asks for. The same content is available as a downloadable PDF pack for your compliance file, and a signed data processing agreement is available on request through the contact page.
How the methodology maps to COBS 9A
Revela is an evidence engine for the suitability assessment; the advising firm retains the regulatory responsibility for its advice.
| Risk the client is willing to take | Measured from revealed behaviour under simulated pressure (games and video scenarios), not self-report. The stated figure is captured separately and tested against behaviour; the gap is flagged. |
| Risk the client is able to take | Capacity for loss recorded in the adviser fact-find (income, wealth, horizon, liquidity) and reconciled against willingness. The recommendation is held at the lower of the two, never raised to chase a goal. |
| Knowledge and experience | Captured in the fact-find and carried on the record alongside the behavioural result. |
| Record keeping | Every sitting stores its raw inputs, the engine version that scored it, the full output and a SHA-256 seal. Adviser overrides carry who, when and why. Any figure in any report is reconstructable. |
| Periodic review | Per-firm review cadence, due flags on the client book, re-sit reassessments that measure drift between sittings on the record. |
Data processing roles
The advising firm is the data controller for its clients; Old Shoreham Behavioural Technologies processes that data on the firm’s documented instructions. Clients never create accounts: single-use, hash-stored assessment links are the entire client-facing surface, and no camera or microphone access is ever requested.
Subprocessors
| Provider | Purpose | Region |
| Supabase (AWS) | Database, authentication, file storage | eu-west-1, Ireland |
| Netlify | Application hosting and content delivery | Global CDN; serverless compute |
| Resend | Transactional email (invitations, statements) | EU/US |
Changes to this list are announced to firms in advance through the platform.
Retention schedule
| Suitability records (inputs, results, reports) | Retained for the firm’s regulatory retention period; erasable on the firm’s instruction subject to its retention duties. |
| Platform audit trail | Permanent and append-only. |
| Sign-in IP addresses and device strings | 90 days, then stripped; the events themselves remain. |
| Assessment invitation tokens | Stored only as SHA-256 hashes; single use. |
Security posture
Scoring runs entirely server-side; behavioural weights never reach a browser. Multi-tenant isolation is enforced with row-level security plus firm scoping on every query. Staff accounts support TOTP two-factor authentication, one-time passwords are rotated at first sign-in, and every administrative action lands on the audit trail with source IP. Full detail is on the security page.