Fit
Organisations with data-residency clauses in customer or supplier contracts
"Data shall not leave the UK / EEA" commitments that need to keep being true after every Microsoft default flips, every model swap and every quiet vendor toggle.
Eastbourne · UK
/ AI Consultancy / Continuous ComplianceWe keep your regulatory assumptions true over time as the platform underneath them changes.
Vendors ship default-on changes faster than compliance teams can read the email. Continuous Compliance enforces your AI policies automatically, watches for upstream change, and produces the evidence pack that lets you answer the question “can you prove that?” without two weeks of scrambling.
01/ Why this exists
Default-on changes are the new normal.
The pattern is now relentless — and it puts a small, silent gap between what your governance documents say and what your tenant actually does.
On 17 April 2026, Microsoft enabled Flex Routing by default for every EU tenant using Microsoft 365 Copilot. It allows large-language-model processing to happen outsidethe EU Data Boundary at peak demand. Most admins didn’t read the Message Center post in time. Most DPIAs weren’t updated. Both are still true today.
Flex Routing is one example of a pattern. Microsoft, Anthropic, Google and OpenAI now ship default-on changes to data handling, model availability and processing locations on a near-monthly cadence. A sister announcement the same week (MC1269241, Anthropic models in Copilot) flipped on by default too. Each one creates a small, silent gap between the assertions in your governance documents and the configuration of your live tenant.
Continuous Compliance closes that gap and keeps it closed.Not as a one-off engagement — as an ongoing service that runs alongside your tenant for as long as you’re using AI tools that ship change faster than your compliance team can read it.
02/ What's in the box
Three things, run continuously.
Not a quarterly review. Not a once-a-year audit. A live, maintained service.
Continuous policy enforcement
Inforcer runs against your tenant continuously, with an AI-specific rule library we maintain — Flex Routing, Copilot data-sharing, model defaults, agent permissions, EU/UK Data Boundary toggles, plus the wider configuration baseline you'd expect of an MSP-grade tenant. Drift is detected and corrected automatically; exceptions are logged.
Change watch + monthly evidence
We read Microsoft Message Center, vendor change logs and the Anthropic, OpenAI and Google announcement feeds so you don't have to. Each month, a one-page board-ready summary: what changed upstream, what your tenant did, what we did about it, and anything you need to decide. Backed by a maintained evidence ledger.
DPIA-aligned evidence pack on demand
When an auditor, customer questionnaire, regulator or internal compliance team asks, we produce a current evidence pack tied to the assertions in your DPIA, governance policy and customer commitments. We provide the technical evidence; your DP people and lawyers use it.
A note on scope.We don’t sit in judgement of your DPIA — we keep the technical reality aligned with what your DPIA says is true. Where you need legal sign-off, you bring a lawyer. Where you need an opinion on whether the assertions are right, you bring your DPO. We’re here to keep the configuration honest and the evidence current.
03/ What it covers
We keep an eye on the AI surface, not just the platform.
The toggles that move are increasingly AI-specific. Our ruleset grows as vendors ship — not on a release cadence we control.
Microsoft 365 CopilotMicrosoft Copilot StudioMicrosoft PurviewDefender for Cloud AppsMicrosoft Entra IDAzure OpenAI service deploymentsChatGPT Enterprise / TeamClaude for WorkGoogle Gemini for WorkspaceCustom-built assistants and agentsUK / EU Data Boundary togglesSensitivity labelling & DLPRetention & lifecycle policyModel-default selection
04/ Who it's for
Whoever has written down a promise about how their data is handled.
Not a sector list. A shape of organisation — defined by the commitments already made, not the regulator that polices them.
Fit
Boards and committees with documented AI governance positions
Acceptable-use policies, AI charters, ESG statements that reference data handling — and need monthly evidence those positions are still being honoured, not just signed off and filed.
Fit
Compliance teams without an AI specialist
Where the GDPR knowledge is in the building but the AI-platform mechanics aren't, and the gap is widening as vendors ship. We sit on the technical side; you keep the legal lane.
/ Backed by
Delivered by M-Tech Labs with the operational discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme. Inforcer policy enforcement runs day-to-day. Code is continuously scanned for quality and security with Aikido, with independent QA and pen testing by Zoonou available where engagements call for it. Hosted on our own Nutanix / Fortinet platform — UK-based, current-version, continuously pen-tested. See secure development for the full picture.
Back to AI Consultancy/ Looking for the one-off?
Need to get compliant in the first place — DPIA pack, CAF map, regulator-ready readout — before keeping it true over time? Compliance & regulatory alignment is the front-loaded version of this work.
/ Start a conversation
Stop finding out about default-on changes from the news.
Continuous Compliance leaves you with a current policy posture, a monthly board-ready summary and an evidence pack that's already up to date when an auditor asks.