From my perspective, choosing an Ai vendor for a UK regulated practice is the most consequential tooling decision most firms will make this decade. Specially because a bad choice locks you into data-handling practices that may later prove non-compliant. Here’s the checklist I’d run against any vendor.
Data handling (5 questions)
One, where is client data physically processed? UK-only is the answer you want. EU may be acceptable; US with standard contractual clauses is the uncomfortable answer.
Two, is client data used to train the Ai model? “No” is the only acceptable answer.
Three, is client data used to improve the vendor’s own product (fine-tuning, benchmarking, evaluation)? Many vendors skip this in the “no training” answer — ask specifically.
Four, is there PII redaction before the Ai model sees client content? Placeholder tokens are the target.
Five, is the vector index zero-plaintext (separate storage for searchable vectors vs readable content)?
Audit + compliance (4 questions)
Six, is every Ai interaction logged to a tamper-evident audit chain? Cryptographic chaining — where altering any record breaks the chain visibly — is the gold standard.
Seven, can the audit be filtered by client or matter? Specially for ICAEW, SRA, FCA reviews where reconstruction is by-client.
Eight, are Article 15 (subject access) and Article 17 (erasure) technically supported at the individual level, within the statutory timeframe?
Nine, does the vendor provide DPIA support material openly? Architecture diagrams, data-flow documentation, processor agreements.
Staff lifecycle (2 questions)
Ten, what happens when a staff member leaves? Per-user encryption keys with a kill switch is the structural answer. “We can disable their account” is the weak answer.
Eleven, does the leaver’s historical prompt data become un-decryptable, or is it just access-controlled?
Integrations + practical fit (4 questions)
Twelve, does the vendor natively integrate with the tools your practice uses? Xero, Zoho Books, HubSpot, Google Workspace, etc.
Thirteen, is there a per-client or per-matter isolation boundary — not just role-based access, but retrieval-layer isolation?
Fourteen, is the commercial model sensible for your scale? A flat team price suits small practices better than per-seat with minimum commitments.
Fifteen, can you trial it without procurement? Instant-start with no sales call is what mature Ai vendors offer now.
How Other Me answers these questions
UK data residency by default. Zero training use. Zero vendor product improvement use. Pre-model PII redaction. Zero-plaintext vector index. Tamper-evident audit chain filterable by client. Article 15 exports in one click. DPIA support material on the Security page. Per-user kill switch. Native integrations with all the UK SME stack tools. Per-client vault isolation. Small Medium Teams plan at £99/month flat.
Apart from this, you can start a free 7-day trial, no credit card — and the trial is the full product, so you can run every checklist question against the live deployment.