Skip to main content
TrueDeed

Compliance library

Pre-Launch Compliance & Legal Due-Diligence Audit

Audit date: · Subject: Brit-Estate Ltd (trading as TrueDeed) — AI-powered UK property + service marketplace

Before launch, we commissioned a full compliance and legal due-diligence audit of our own platform — the kind of review an acquirer or regulator would run — and we are publishing the results, including every blocker it found. The short version: our engineering controls scored well; our regulatory and governance paperwork did not. The audit told us not to launch publicly until specific blockers are fixed, and we agreed. Everything below is the audit as delivered, condensed for the web but with nothing softened.

0. Executive summary

The audit found materially more compliance plumbing than the typical pre-revenue PropTech: consent records, an immutable audit log, soft-delete + cascade-restricted GDPR purge, AI usage logging, signed Stripe webhooks, RLS-enforced multi-tenant data, MFA endpoints, and a nonce-based CSP. Seventeen legal pages were already drafted, placing the platform in the top quartile of UK PropTech entrants for paperwork breadth.

However, the auditors concluded the company could not launch in 30 days as configured. The blocking issues were not architectural — they were operational, contractual, and regulatory. The ten launch blockers:

  1. Company identity placeholders ([COMPANY NUMBER], [REGISTERED ADDRESS], [ICO REGISTRATION NUMBER], [HMRC REFERENCE]) still present in published legal pages — itself an ICO enforcement trigger and a CPRs 2008 misleading-action breach.
  2. No FCA appointed-representative or introducer structure despite mortgage broker and insurance referral revenue tiers existing in code — receiving fees for introducing regulated credit/insurance products without FSMA permission is a criminal offence (FSMA 2000 s.23).
  3. No NTSELAT Material Information (Parts A/B/C) compliance layer wired into listing creation — omission is now a CPR 2008 breach. (Partially closed 2026-06-11: planning permission status is now modelled, required, and enforced; building safety, rights/restrictions, flood declaration, parking, and accessibility fields remain open.)
  4. No HMRC AML supervision number and no named Money Laundering Reporting Officer — the AML policy promises supervision that has not been obtained. Launch blocker.
  5. No deposit-scheme integration (TDS/DPS/MyDeposits) for landlord/tenant flows — statutory penalty up to 3× deposit plus loss of s.21 (Housing Act 2004 ss.213–215).
  6. AI guardrails are coded, but no DPIA exists for the AI processing (UK GDPR Art. 35 + ICO AI Toolkit). Launch blocker.
  7. No incident-response runbook, breach-notification playbook, or 72-hour ICO clock procedure.
  8. PECR soft opt-in not technically enforced — marketing-email send paths do not gate on marketing consent records before dispatch.
  9. No formal Record of Processing Activities (Art. 30) and no Data Protection Officer appointed in writing.
  10. No consumer ODR link or platform-level Property Ombudsman / Property Redress Scheme membership; the empty Modern Slavery page must be removed or completed correctly.
DimensionScoreOne-line justification
Launch Readiness42 / 100Engineering ready, regulatory not
Compliance Score55 / 100Excellent skeleton, missing identity + HMRC + FCA + DPIA
Security Score74 / 100Strong CSP / RLS / webhook signing; gaps in CSRF, secrets rotation, SBOM, pen test
Governance Score38 / 100No DPO, no ROPA, no risk register, no board minutes, no policies signed
Investor Readiness48 / 100Cap table likely fine; data room shallow, KPIs unaudited, IP assignment unverified
Acquisition Readiness31 / 100Would not survive Big-Four vendor diligence today

Verdict: push public launch to T+90. Use the 90 days to close every blocker. A soft, invite-only beta at T+30 is acceptable only after the ten launch blockers above are cleared.

Phase 1 — Regulatory mapping

The audit mapped fifty instruments touching the platform. Instrument — jurisdiction — assessed risk:

  • UK GDPR — UK — CRITICAL (up to £17.5m or 4% global turnover)
  • Data Protection Act 2018 — UK — CRITICAL
  • Data (Use & Access) Act 2025 (DUAA) — UK — HIGH
  • EU GDPR — EU — CRITICAL (applies on EU expansion)
  • PECR 2003 — UK — CRITICAL (up to £500,000)
  • ePrivacy Directive 2002/58/EC — EU — HIGH
  • Consumer Rights Act 2015 — UK — HIGH
  • Consumer Contracts Regs 2013 (cooling-off) — UK — HIGH
  • Consumer Protection from Unfair Trading Regs 2008 (CPRs) — UK — CRITICAL (criminal)
  • Digital Markets, Competition & Consumers Act 2024 (DMCC) — UK — CRITICAL (up to 10% global turnover)
  • E-Commerce Regulations 2002 — UK — HIGH
  • Online Safety Act 2023 — UK — CRITICAL (senior-manager criminal liability)
  • Equality Act 2010 — UK — HIGH
  • Estate Agents Act 1979 — UK — CRITICAL (banning orders)
  • Property Misdescriptions Act 1991 (via CPRs) — UK — HIGH
  • NTSELAT Material Information Guidance Parts A/B/C — UK — CRITICAL
  • Letting Agents (Redress Scheme) Order 2014 — UK — CRITICAL
  • Tenant Fees Act 2019 — England — CRITICAL
  • Housing Act 2004 Part 6 (deposit protection) — E&W — CRITICAL
  • Homes (Fitness for Human Habitation) Act 2018 — England — HIGH
  • Building Safety Act 2022 — UK — HIGH
  • Money Laundering Regs 2017 (MLR) — UK — CRITICAL (criminal)
  • Proceeds of Crime Act 2002 — UK — CRITICAL
  • Sanctions & AML Act 2018 + OFSI regime — UK — CRITICAL (strict liability)
  • Companies Act 2006 (trader identity) — UK — MEDIUM
  • FSMA 2000 (regulated introductions) — UK — CRITICAL (criminal, s.23)
  • FCA Handbook — MCOB / ICOBS / SYSC / CONC — UK — CRITICAL
  • FCA Consumer Duty (PRIN 12) — UK — HIGH
  • Payment Services Regs 2017 — UK — MEDIUM (Stripe Connect mitigates)
  • AMLD 5/6 — EU — CRITICAL (on EU rollout)
  • MiFID II — EU — MEDIUM (only if tokenisation)
  • EU Digital Services Act — EU — CRITICAL (up to 6% global turnover)
  • EU Digital Markets Act — EU — LOW (not a gatekeeper)
  • EU AI Act — EU — CRITICAL (up to €35m or 7% turnover)
  • EU Platform-to-Business Regulation (ranking transparency) — EU — HIGH
  • ICO AI & Data Protection Toolkit — UK — HIGH
  • CMA Online Choice Architecture Guidance (dark patterns) — UK — HIGH
  • CMA Online Reviews Guidance — UK — CRITICAL (DMCC offences)
  • CAP / BCAP Codes — UK — MEDIUM
  • Trade Marks Act 1994 / CDPA 1988 — UK — MEDIUM
  • Equality Act 2010 (web accessibility) + EAA 2025 — UK/EU — HIGH
  • WCAG 2.2 AA — International — MEDIUM
  • Modern Slavery Act 2015 s.54 — UK — LOW (below threshold; page risk only)
  • OSA Children's Codes — UK — HIGH
  • NIS2 Directive — EU — MEDIUM
  • Computer Misuse Act 1990 — UK — LOW
  • Defamation Act 2013 + Website Operators Regs — UK — MEDIUM
  • UK-EU adequacy decision (transfers) — UK/EU — CRITICAL if it lapses
  • ICO IDTA / Addendum (UK→US transfers) — UK — HIGH
  • Property Ombudsman / Property Redress Scheme rules — UK — CRITICAL

Phase 2 — Data mapping audit

Every category of personal data was mapped from the database schema to its lawful basis and retention period. Highlights (category — lawful basis — retention — risk):

Data categoryLawful basisRetentionRisk
Account identifiers (email, phone, name)Contract (Art. 6(1)(b))6 yrs post-closureMEDIUM
Consent recordsConsent (Art. 6(1)(a), 7(1))6 yrs after withdrawalLOW
KYC / ID verification documentsLegal obligation (MLR 2017)5 yrs after relationship endsHIGH
Property listings + photosContract / legitimate interestsUntil withdrawn + 1 yrMEDIUM
Messaging / chatContractActive + 2 yrsMEDIUM
Payment dataContract (held in Stripe vault, not locally)7 yrs (tax) for metadataLOW
Lead data (intent, contact)Legitimate interests12 monthsHIGH (PECR overlap)
Search history / saved propertiesLegitimate interests24 monthsMEDIUM
Behavioural analytics (PostHog)Consent (opt-in)PostHog defaultMEDIUM
AI prompts + outputsContract24 months internalHIGH if users paste IDs
Location / IPLegitimate interests (security)30 daysMEDIUM

International transfers: Supabase (EU, adequacy), Stripe / Anthropic / Resend / Sentry / Inngest / Vercel (US — UK IDTA + DPF, transfer impact assessments required), PostHog (verify EU region pin), Cloudflare (IDTA addendum), Upstash (EU), MapTiler (Switzerland, adequacy).

  • GAP: no documented Transfer Impact Assessments for any US transfer.
  • GAP: no public sub-processor list (Art. 28(2) obligation toward agents who are themselves controllers).
  • GAP: signed DPAs with each processor not evidenced in the repository.

Phase 4 — Marketplace liability audit

  • Property listings: no field for an agent's declared personal interest in a property (Estate Agents Act 1979 s.21) — GAP-M1.
  • Material information: NTSELAT Parts A/B/C not fully modelled — GAP-M2 (BLOCKER). Planning permission status was closed on 2026-06-11 (modelled, required on create/edit, enforced server-side, displayed on the property page); building safety, rights/restrictions, flood declaration, parking and accessibility fields remain open.
  • Lettings: Tenant Fees Act 'permitted payments only' breakdown missing from listings; asking-vs-guide price distinction missing.
  • Agent accounts: redress-scheme (TPO/PRS) membership capture and verification missing — GAP-M3 (BLOCKER); client money protection scheme capture missing; per-branch HMRC AML supervision number missing; no re-check cron for PI insurance; no ranking-transparency disclosure (P2B Art. 5).
  • Tradesperson accounts: Gas Safe / NICEIC / NAPIT numbers need capture and annual re-verification; public liability insurance expiry alerting missing; DBS status not modelled.
  • User-generated content: Online Safety Act illegal-content risk assessment missing — GAP-M4 (BLOCKER); children's access assessment missing — GAP-M5; no notice-and-action flow for non-property UGC.
  • Reviews: DMCC fake-review controls (prohibit, detect, remove) needed; the Defamation Act s.5 defence requires a working 48-hour notice procedure — GAP-M6.
  • Messaging: in-platform DMs used for promotion still count as direct marketing (PECR Reg 22); server-side message logging must be clearly disclosed in terms.
  • Referrals: mandatory written referral-fee disclosure to the consumer at the point of recommendation (conveyancer/surveyor/broker) has no code path — GAP-M7 (BLOCKER).

Phase 5 — AI compliance audit

AI on the platform today: listing description generation, ROI/valuation estimation, match/recommendation (pgvector), and quote-draft suggestions — all routed through a single provider boundary with rate limits, a daily spend cap, input sanitisation, Zod output validation, and usage logging. Strengths noted: centralised kill-switch-able boundary, per-user rate limits, a public AI transparency page.

  • AI-1 (BLOCKER): no DPIA covering AI processing (UK GDPR Art. 35; ICO AI Toolkit).
  • AI-2 (BLOCKER): EU AI Act Art. 50 transparency — AI-generated outputs need machine-readable provenance and an inline label; generated descriptions carry neither.
  • AI-3 (HIGH): no human-in-the-loop checkpoint or friction screen for valuations, which can meaningfully affect decisions (Art. 22-adjacent).
  • AI-4 (HIGH): recommendation engine needs per-user explanations available on request.
  • AI-5 (MEDIUM): no protected-characteristic fairness audit on recommendations (Equality Act indirect-discrimination exposure).
  • AI-6 (MEDIUM): sanitiser does not handle markdown/HTML-shaped prompt-injection in user-supplied listing copy.
  • AI-7 (MEDIUM): no published model card per AI feature (provider, pinned model version, limitations).
  • AI-8 (LOW): fact-claims about properties should be grounded against Land Registry / Companies House with citations.
  • AI-9 (LOW): watermark AI-staged property photos if AI staging is used.
  • AI-10 (MEDIUM): confirm the Anthropic processor agreement and zero-data-retention configuration.

Phase 6 — Security audit

Controls confirmed in code: TLS termination, secure/HttpOnly cookies, nonce-based CSP, X-Frame-Options DENY, nosniff, Permissions-Policy, Supabase Auth with MFA endpoints, HMAC-signed re-auth and replay tokens, signature-verified Stripe and Inngest webhooks, row-level security across tables, soft-delete GDPR purge with restricted cascades, RPC-gated admin audit log, and Upstash rate limiting.

  • S1 (CRITICAL): no external penetration test on record — commission an OWASP ASVS L2 test pre-launch.
  • S2 (HIGH): no CSRF tokens on state-changing form endpoints.
  • S3 (HIGH): no HSTS preload header.
  • S4 (HIGH): no secrets-rotation runbook for signing secrets.
  • S5 (HIGH): no SBOM / dependency-vulnerability gate in CI.
  • S6 (HIGH): backup retention and restore-drill cadence unverified.
  • S7 (HIGH): verify anonymous-user rate limits on all AI endpoints.
  • S8 (MEDIUM): no security.txt / responsible-disclosure channel.
  • S9–S10 (MEDIUM): verify session-replay PII masking in Sentry and PostHog.
  • S11 (MEDIUM): lint-guard the service-role key against client bundles.
  • S12 (MEDIUM): verify private buckets + short-lived signed URLs for ID documents.
  • S13 (MEDIUM): server-log retention and PII purging policy missing.
  • S14 (MEDIUM): enforce Stripe webhook idempotency via a unique event-ID index.
  • S15 (MEDIUM): verify styles CSP is nonce-based, not unsafe-inline.
  • S16–S20 (LOW): SRI for third-party scripts, __Host- cookie prefix, dependency-pinning documentation, Stripe onboarding data minimisation, webhook body-logging hygiene.

Phase 7 — Contract audit

Forty-one contracts and policies were audited. Drafted: consumer terms, privacy notice, cookie notice, AI transparency notice, acceptable use policy (all pending identity fields). Marked missing or blocker:

  • BLOCKER: Mortgage Broker Terms and Insurance Introducer Terms (FSMA criminal exposure without them).
  • BLOCKER: DPA template for B2B controllers (agents).
  • BLOCKER: IP assignment from founders and every developer (title cloud without it).
  • BLOCKER: Incident Response Policy + Runbook (72-hour ICO clock).
  • Missing: agent and tradesperson B2B terms, conveyancer/surveyor referral agreements, subscription and premium-listing T&Cs, lead-generation product T&Cs, public sub-processor list, NDAs, open-source/SBOM compliance, marketing soft opt-in policy, estate-agent letter-of-engagement template, data-retention schedule, DSAR SOP, information-security and vendor-risk policies, anti-bribery, whistleblowing, HR privacy notice.
  • Remove or complete: the empty Modern Slavery statement page (below the statutory threshold, so an empty page is itself misleading).

Phase 8 — Revenue compliance audit

Revenue streamKey requirementStatus
SaaS subscriptionsDMCC pre-contract info, renewal reminders, easy cancellationGAP — reminders + easy-cancel needed
Commission on salesEAA 1979 s.18 disclosure via letter of engagementTemplate missing
Commission on lettingsTenant Fees Act check + redress schemeVerification missing
Service-job commissionPre-job estimate + breakdownOK
Lead generation (agents)Quality SLA, refund termsT&Cs needed
Lead generation (mortgage brokers)FCA permission or Appointed Representative structureBLOCKER
Lead generation (insurance)FCA IDD authorisation or ARBLOCKER
Lead generation (conveyancers)Referral disclosure to consumerMissing
Premium listingsRanking-bias disclosure (P2B / CMA)T&Cs missing
AI-powered servicesAI Act Art. 50 + DPIADPIA missing

FCA detail: even introducing a customer to a regulated firm for a fee is a regulated activity unless an exclusion applies. The two viable routes are becoming an Appointed Representative of an FCA-authorised principal, or the very narrow Article 33B introducing exclusion (contact details only — even hosting a calculator can void it). The mortgage-broker tier without either structure was assessed as a launch blocker.

Phase 9 — Investor due-diligence red flags

  1. Company not incorporated in published documents (placeholders) — CRITICAL
  2. Cap table / Companies House consistency unverified — CRITICAL
  3. No IP assignment chain from contributors — CRITICAL
  4. No SBOM or open-source licence audit — HIGH
  5. No ROPA, DPIA, DPO, or ICO registration — CRITICAL
  6. No AI DPIA, model cards, or bias-testing evidence — CRITICAL
  7. No external pen test; no SOC 2 / ISO 27001 path — HIGH
  8. No HMRC AML supervision; FCA exposure unaddressed — CRITICAL
  9. Redress-scheme verification not enforced for agents — CRITICAL
  10. No Online Safety Act risk assessment — CRITICAL
  11. DMCC auto-renewal reminders not implemented — HIGH
  12. Trade mark registration status unknown — HIGH
  13. Domain ownership (company vs founder) unverified — HIGH
  14. Employment contracts / IR35 status unverified — HIGH
  15. VAT / MTD / tax compliance unverified — HIGH
  16. Insurance (cyber, PI, D&O, EL) status unverified — HIGH
  17. Vendor contracts not consolidated in a data room — MEDIUM
  18. Statutory registers and board minutes unverified — MEDIUM
  19. KPIs not independently auditable (analytics only, no warehouse) — MEDIUM
  20. Repository clutter signalling discipline gaps to diligence teams — noted

Top compliance, legal and security risks (§11–§14)

The audit ranked fifty compliance risks. The top fifteen:

  1. Placeholders in published legal pages — ICO + CPR breach on day one.
  2. No DPIA for AI processing (Art. 35 mandatory).
  3. No ROPA (Art. 30 mandatory).
  4. No DPO appointed in writing.
  5. No HMRC MLR supervision — criminal under MLR Reg 56.
  6. No FCA permission / AR structure for mortgage and insurance lead-gen — FSMA s.23 criminal.
  7. No NTSELAT material-information fields in listings.
  8. No redress-scheme verification at agent onboarding.
  9. No OSA illegal-content risk assessment.
  10. No OSA children's access assessment.
  11. PECR soft opt-in not technically enforced.
  12. No DMCC auto-renewal reminders.
  13. No DMCC fake-review systems.
  14. No EU AI Act Art. 50 inline labelling of AI-generated content.
  15. No tenancy deposit scheme integration.

The remaining thirty-five cover transfer impact assessments, the public sub-processor list, CSRF/HSTS/pen-test/SBOM gaps, secrets rotation, the incident runbook, accessibility audits, the DSAR SOP, retention-enforcement crons, consent-revocation propagation to processors, webhook idempotency, storage-bucket verification for ID documents, AI watermarking and bias testing, the estate-agent letter of engagement, personal-interest disclosure on listings, machine-readable AI provenance, the supplier DPA register, DPIA sign-off records, professional re-verification crons, board-level policy approvals, right-to-explanation processes, audit-log immutability proof, a published security.txt, and statutory company information in every page footer.

Top legal risks (§12) are led by FSMA s.23 criminal exposure, Estate Agents Act banning orders, CPRs criminal liability for misleading omissions, DMCC turnover-based fines, UK GDPR Art. 83 fines, and PECR penalties. Top security risks (§13) mirror the Phase 6 gaps, led by the missing external penetration test, CSRF, HSTS preload, and dependency scanning. Investor-DD risks (§14) mirror Phase 9.

Required policies, consent flows, and technical controls (§15–§19)

The audit specified forty required policies (from the privacy policy fix through incident response, sanctions screening, KYC operations, review moderation, ROPA and three DPIAs, to the OSA risk assessments), twenty consent flows (marketing opt-in, PECR soft opt-in evidencing, per-feature AI opt-out, rights flows for erasure, portability, objection, restriction, and explanation, and a consent ledger with immutability proof), and thirty-five technical controls. Key technical controls:

  • Fill identity placeholders site-wide from a single legal-entity source of truth; CI lint blocks any remaining literal placeholder.
  • Wire the cookie audit script into CI; add DNT/GPC honouring.
  • Add HSTS preload, CSRF double-submit middleware, __Host- session cookies, security.txt, and a dependency-vulnerability gate in CI.
  • Add a Stripe webhook idempotency unique index; scheduled crons for data retention, professional re-verification, and marketing-consent re-confirmation.
  • Wire NTSELAT material-information fields, redress-scheme verification, AML supervision and client-money-protection capture, and a referral-fee disclosure modal at the point of recommendation.
  • Add a visible badge plus machine-readable provenance attribute to every AI-generated output, a valuation friction screen, and per-feature AI opt-outs propagated to the inference layer.
  • Add automated DSAR export and right-to-erasure pipelines that propagate to processors; PII redaction in server logs; session-replay masking; storage-bucket policy tests; deposit-scheme integration; sanctions screening and Companies House lookup at onboarding; a material-information completeness gate before publishing; review-moderation queue with notice timestamps; immutable audit-log archive; and a rotated-secrets runbook.

Twenty-five governance controls (§19) follow: quarterly board-approved risk register, written DPO and MLRO appointments, ICO registration, HMRC MLR supervision, an FCA AR principal relationship (or removing the regulated tiers), signed vendor DPAs and contributor IP assignments, insurance, change-management and access-review cadences, monthly cookie and sub-processor reviews, regulatory horizon scanning, incident tabletops, annual pen tests, security review gates on API changes, staff training, KPI reconciliation, board minutes for every policy adoption, and a maintained data room.

Remediation plan and checklists (§20–§23)

30-day plan (soft, invite-only beta only): Week 1 — incorporate and paper (ICO registration, HMRC MLR application, FCA principal engagement or feature removal, trade mark filings, insurance, placeholder eradication, IP assignments). Week 2 — compliance artefacts (ROPA, three DPIAs, DPO and MLRO appointments, incident runbook + tabletop, priority internal policies, sub-processor list, cookie-audit cron, HSTS/CSRF/security.txt, pen test commissioned). Week 3 — marketplace controls (NTSELAT enforcement, redress and CMP verification, tenant-fee checks, sanctions screening, deposit-scheme integration, notice-and-action, OSA assessments, referral disclosure, DMCC renewal flows). Week 4 — AI provenance badges, valuation friction, AI opt-out propagation, fake-review detection, pricing disclosure, WCAG remediation, DSAR red-team test.

90-day plan (public launch): pen-test remediations, confirmed HMRC and ICO registrations, signed FCA AR relationship (or the feature stays off), auditable KPI warehouse, bias audit, bug bounty, backup restore drill, SOC 2 Type I readiness, ISO 27001 gap assessment, full vendor DPA register and TIAs, DR tabletop, DSA-readiness for EU expansion, and a public-launch dry run with a full incident-response tabletop.

The audit closes with a 37-item pre-launch sign-off checklist and a recurring post-launch calendar (monthly cookie and sub-processor audits, quarterly board risk reviews and DPIA refreshes, semi-annual pen tests and DR drills, annual SOC 2 / ISO surveillance, policy refresh, staff training, and recommendation-engine fairness audits).

Appendix — evidence base

Every finding was tied to verified code paths in the repository — legal pages, the consent-gated analytics provider, the GDPR request form, the AI service boundary and sanitiser, signed webhook handlers, HMAC re-auth tokens, MFA endpoints, the CSP middleware, commission-rate configuration, the consent service, and the RLS, GDPR-deletion and audit-log-hardening migrations. Where evidence was not found, the item was marked MISSING; where a control existed but was incomplete, PARTIAL; where placeholder strings appeared in shipped legal content, PLACEHOLDER — BLOCKER.

Why we publish this

Why we publish this: most companies bury their compliance homework. We think a property platform asking for your trust should show its working — including the failing grades. Publishing this audit binds us to fixing what it found, on the record. Future documents in this library (DPIA-style analyses, follow-up audits) will be published the same way.

See also our pledges, which turn several of these findings into standing commitments.