QuickBrief is architected from the ground up for compliance-critical environments. Every design decision prioritises auditability, determinism, and regulatory defensibility.
Our diff engine uses pure cryptographic hash comparison (SHA-256) to detect sanctions changes. AI only summarises what the deterministic engine has already verified. No hallucinations. No guesswork.
All audit events are serialised using RFC 8785 canonical JSON before hashing. This guarantees byte-identical output across TypeScript and Python, ensuring cross-service hash consistency.
Every event includes the previous event hash, creating a tamper-evident chain. Any modification to historical data breaks the chain and is immediately detected by our health monitoring.
Automated chain verification runs every minute, checking the last 100 events for hash consistency. Full chain verification available on-demand. Any integrity failure triggers immediate alerts.
AI-generated briefs are automatically scored for confidence. Low confidence (<85%) briefs are rejected. Medium confidence (85-94%) requires MLRO review. Only high confidence (≥95%) briefs can be auto-approved.
All API requests are authenticated via signed JWTs. Both the web application and API backend independently verify authentication. No implicit trust between services.
Standard JSON serialisation is non-deterministic — key ordering and whitespace can vary between implementations. RFC 8785 defines a canonical form that guarantees identical byte output regardless of programming language or library.
QuickBrief uses RFC 8785 to ensure that SHA-256 hashes computed in TypeScript (web) and Python (API) are byte-identical, maintaining chain integrity across services.
AI is only used in Step 4 to summarise changes that have already been deterministically identified. The AI never decides what changed — it only explains changes the hash-based diff engine found.
Built for FCA-regulated firms and enterprise compliance teams
Deterministic JSON serialisation ensures identical hashes across all services. Keys sorted alphabetically, consistent whitespace handling.
Every audit event is cryptographically linked to its predecessor. 285 events verified and healthy as of Jan 28, 2025.
Critical events can be timestamped by trusted third-party authorities for legal non-repudiation.
Complete history of all sanctions changes, briefs, and user actions. Nothing is ever deleted.
Audit trail export (CSV) with hash-chain integrity for regulator submissions. Brief PDF export from the dashboard.
Programmatic access to chain verification status. Quick checks (100 events) and full verification endpoints available.
All data encrypted using AES-256 in our PostgreSQL database.
TLS 1.3 for all connections. No plaintext data ever transmitted.
Full compliance with UK data protection regulations. DPA available on request.
We only collect data necessary for sanctions monitoring. No tracking, no selling.
In the unlikely event of a security incident, we commit to:
Our team is happy to discuss security requirements, provide DPAs, or arrange a technical deep-dive.