Worked example · Aldervale Mutual · a fictitious UK insurer
Inside the regSpace portal
Every change scored. Every claim evidenced.
Horizon scanning, risk, policy, proof: the work a compliance team is judged on. This page walks it through one portal, facet by facet. Aldervale Mutual is a worked example, a mid-size UK insurer, fourteen feeds in. Every figure reconciles.
Horizon scanning
Watched weekly. Scored against your profile.
Watcher runs every week across the sources that touch Aldervale: FCA, PRA, ICO, the Bank of England, EIOPA and nine more. Each change is scored against the tenant profile, so a consultation that matters to a UK insurer never drowns in one that does not. What is material becomes a memo. What is not gets filtered, and the register records both.
- 14 feeds live for this tenant. 1,912 changes scanned in Q2.
- Scored against Aldervale’s profile: sector, footprint, registrations. Deleting a memo as noise teaches the filter.
- Weekly briefs for the sectors it subscribes to, and a Month-in-Review roll-up.
DUAA 2025 commencement: next tranche of provisions in force
legislation.gov.uk
Consultation on outcomes monitoring under the Consumer Duty
fca.org.uk
Opinion on AI governance in underwriting
eiopa.europa.eu
Captive insurance: consultation response published
gov.uk
23 kept this quarter · 1,889 filtered
The memo
Alerts are noise. Evidence is the product.
Any alert service can forward a press release. A regSpace memo is a claim with its receipts: what changed, why it matters to this insurer, a link to the captured source, and the policy work it triggered. Citations are re-checked before anything reaches you.
“An alert tells you something happened. Evidence shows what changed, whom it touches, and what you did about it.”
DUAA 2025 commencement: next tranche of provisions in force
KeptData protection · published 30 Jun 2026
The next set of DUAA provisions is now in force. For Aldervale the change lands on the lawful-basis section of the privacy policy. Watcher flagged the two clauses it touches and produced the redline, in Word, with track changes.
- Privacy policyredline drafted · DOCX
- CTRL-DP-01 · Lawful-basis register reviewattested quarterly
- CTRL-DP-06 · Privacy notice publicationlive
Kept or deleted as noise by a person. regSpace learns from the decision.
The risk register
A 5x5 register an assessor can read.
ISO 31000 scoring, inherent and residual, with a treatment plan and an owner on every row. History is tamper-evident, and the whole register exports to CSV. Aldervale carries 47 risks. Three sit above residual appetite, and each links to the controls holding it down.
- 38 controls in the library, mapped law → policy → control.
- Review cadences per risk; an overdue review raises a ticket.
- Mark a control failing and the exposure surfaces on the dashboard straight away.
R-031 Claims data exposed by a processor
inherent 20 → residual 12 · review 21 Jul 2026
R-012 Pricing model drift on the motor book
inherent 16 → residual 8 · review 14 Aug 2026
R-007 Key-person dependency in actuarial
inherent 12 → residual 6 · review 03 Oct 2026
Controls library
38 controls · 1 failing3 missing clauses open · DUAA 2025 pack: 15 dated obligations built in
Open in Word and accept or reject there, clause by clause. An inline review view is on the roadmap.
Gap analysis
Every policy scored. Every gap named.
Assessor reads a policy against the relevant legal baselines and returns a score out of 100, with each finding marked covered, partial or missing and a suggested clause fix. The UK Data (Use and Access) Act 2025 pack is built in: 15 dated obligations, assessed as each provision commences. Today it assesses privacy and cookie policies; more policy types are on the roadmap. Draft intelligence for your team to review, not legal advice.
Privacy operations
The registers auditors actually ask for.
RoPA, DPIAs, vendors, cookies, the data-flow map: one set of registers, cross-checked by Privacy Inspector. It is a rules-based toolkit, not an AI agent, so every flag shows the exact rule that raised it.
Records of processing
Every processing activity with its purpose, lawful basis and recipients. The GDPR Article 30 register, kept as a register, not a spreadsheet.
DPIAs on file
High-risk processing assessed under Article 35. Aldervale's telematics pricing DPIA is in review now; the other three are current.
Vendors · 19 processors
Each scored against transparent rules: country adequacy, missing DPA, SCC fit, audit recency, contract expiry. Three are flagged today.
Cookies and trackers
The ePrivacy inventory, reconciled against what the cookie policy claims. A tracker the policy does not mention becomes a finding.
Countries on the data-flow map
Subjects to activities to assets to vendors to countries, drawn live from the registers. The map auditors ask for, without a workshop.
Claimed-vs-actual findings
The privacy notice says data stays in the UK and EU. The vendor register shows a US analytics processor. Flagged, with the rule that raised it.
Incidents
Seventy-two hours is not long. The clock is on screen.
Breaches and outages land in one register covering GDPR Articles 33 and 34, NIS2 and DORA. For a personal-data breach, the AI assist drafts the Article 33/34 assessment: whether the authority must be notified, whether individuals must be told, and why. A person reviews and sends; the deadline stays visible the whole time.
Aldervale logged five incidents in the last twelve months. One was a personal-data breach, and this is its record.
Credential stuffing against the broker portal
Personal data breachContainedDetected 12 May 2026 06:40 · 214 policyholder records · names and policy numbers
Draft authority notice prepared. A named person reviews, edits and sends.
The operating rhythm
Reviews that raise their own tickets.
Review cycles turn policy reviews, control attestations and risk reviews into tickets with owners and due dates. One scheduler dispatches the reminders across email, Slack, Teams and webhook. The executive dashboard shows what is on time, what is late and who holds it, and every figure drills down to its register.
click any figure to see exactly what sits behind it
Privacy policy · annual review
due 30 Sep 2026 · ticket open
CTRL-ACC-04 attestation · quarterly
overdue 6 days · owner reminded via Slack
Motor book risk review · quarterly
due 21 Jul 2026
18 cycles · reminders via email, Slack, Teams, webhook
Training
327 of 341 people current · 96%Person-level completion evidence, synced from the org directory. Not a claimed percentage: a record per person, per course.
Trust
Built to pass your security review.
The controls are architecture, not promises. Sign-in, isolation, residency, roles, audit: the short version, in writing.
Sign-in through your IdP
SAML or OIDC single sign-on, configured per tenant. Your team enters a work email on the login page and lands on your own identity provider.
A schema of your own
Every tenant gets its own Postgres schema. The tenancy boundary is the database layout itself, not a WHERE clause.
Residency pinned at onboarding
UK and EU tenants run in Google Cloud europe-west2, in London. US tenants run in us-central1. Fixed at onboarding and enforced by the system itself, not an honour system.
Roles decide who writes
The org directory syncs from your identity provider over SCIM, and ownership across the platform resolves to roles. Viewers read; they do not write.
A tamper-evident audit trail
Every significant AI action and every human accept-or-reject decision is recorded per tenant, and the record can be proven unaltered.
Drafts until a person signs off
Memos are kept or deleted by a person. Redlines are reviewed in Word. Complaint replies are human-approved. Draft intelligence, not legal advice.
See it on your own feeds.
Profiler reads your website, Assessor scores the policies you bring, and the weekly digest starts. Thirty minutes is enough to know if it fits.